Problems with DR Test's in Windows 2003 AD

jnex26

Junior Member
Aug 4, 2006
2
0
0
Hi All,

I've got a problem with a DR test I am trying to perfrom.

We have restored the promary domain controller, AD, Microsoft exchange and all the other services. the machine is up and running.

the problem is in the "live" enviroment it has a secondary "backup" domain controller, which at the moment has not been restored becuase it's our backup server and it's restoring other machines.

However when we try to connact a desktop to the domain we get a error Domain controllers are not connected to the network or not running.

We are also getting an error in the event log

(Windows cannon query for a list of group policy objects) Usrenv (Error code 1030)

Any Ideas.
 

DaiShan

Diamond Member
Jul 5, 2001
9,617
1
0
Since AD is multi-master, your clients may be attempting to authenticate against your semi-functional "backup" server. Try either segregating it from your live network, or if possible, remove it and connect your clients to your restored DC.

/edit I missed the error message, make sure that DNS is installed and running on your DC and that your clients are set to use your DC (or whichever DNS server is hosting the information) as their primary DNS server.
 

jnex26

Junior Member
Aug 4, 2006
2
0
0
Hi Thanks for the clues.

I've attached a DC Diag with all the working parts cut out. If that helps.

Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\SERV1\netlogon)
[SERV1] An net use or LsaPolicy operation failed with error 53, The network path was not found..
......................... SERV1 failed test NetLogons

Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034FE
Time Generated: 08/03/2006 13:43:22
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 08/03/2006 13:53:57
(Event String could not be retrieved)
......................... SERV1 failed test frsevent

Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x825A0011
Time Generated: 08/03/2006 15:29:02
Event String: Time Provider NtpClient: An error occurred during

DNS lookup of the manually configured peer

'time.windows.com,0x1'. NtpClient will try the

DNS lookup again in 120 minutes. The error was:

No such service is known. The service cannot be found in the specified name space. (0x8007277C)

Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
No KDC found for domain BUS1.local in site Default-First-Site-Name (1355, NULL)
[SERV1] Unable to contact a KDC for the destination domain in it's own site. This means either there are no available KDC's for this domain in the site, *including* the destination DC itself, or we're having network or packet fragmentation issues connecting to it. We'll check packet fragmentation connection to the destination DC, make recommendations, and continue.
Checking UDP fragmentation issues to SERV1.
Warning: The maximum non-fragmentable UDP transfer unit is 1472.
This isn't a sufficient size for operation if any DC's in the enterprise are Win2k SP3 or earlier.
Solution: Either install at least W2K SP4 or better, or configure the network to allow non-fragmented UDP packets of at least 2008 bytes.
No KDC found for domain BUS1.local in site (ALL SITES) (1355, NULL)
[SERV1] Unable to contact a KDC for the destination domain. If no KDC for the destination domain is available, replication will be blocked!
If there is some KDC for that domain available, check network connectivity issues or see possible packet fragmentation issues above.
Checking machine account for DC SERV1 on DC SERV1.
* SPN found :LDAP/serv1.BUS1.local/BUS1.local
* SPN found :LDAP/serv1.BUS1.local
* SPN found :LDAP/SERV1
* SPN found :LDAP/serv1.BUS1.local/BUS1
* SPN found :LDAP/3132fbf3-56ea-4f5e-bc59-4bbcf164b254._msdcs.BUS1.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/3132fbf3-56ea-4f5e-bc59-4bbcf164b254/BUS1.local
* SPN found :HOST/serv1.BUS1.local/BUS1.local
* SPN found :HOST/serv1.BUS1.local
* SPN found :HOST/SERV1
* SPN found :HOST/serv1.BUS1.local/BUS1
* SPN found :GC/serv1.BUS1.local/BUS1.local
[SERV1] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... SERV1 passed test CheckSecurityError

Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 5
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 5
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 5
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 5
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 5
A KDC could not be located - All the KDCs are down.
......................... BUS1.local failed test FsmoCheck

Starting test: DNS
Test results for domain controllers:

DC: serv1.BUS1.local
Domain: BUS1.local


TEST: Authentication (Auth)
Authentication test: Successfully completed

TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003 for Small Business Server (Service Pack level: 1.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000009] IBM Netfinity Fault Tolerance PCI Adapter:
MAC address is 00:06:29:38:D6:15
IP address is static
IP address: 10.0.0.1
DNS servers:
10.0.0.1 (serv1.BUS1.local.) [Valid]
Warning: 10.0.0.2 (<name unavailable>) [Invalid (unreachable)]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found (primary)
Root zone on this DC/DNS server was not found


TEST: Delegations (Del)
Delegation information for the zone: BUS1.local.
Delegated domain name: _msdcs.BUS1.local.
DNS server: serv1.BUS1.local. IP:10.0.0.1 [Valid]

TEST: Dynamic update (Dyn)
Dynamic update is enabled on the zone BUS1.local.
Test record _dcdiag_test_record added successfully in zone BUS1.local.
Test record _dcdiag_test_record deleted successfully in zone BUS1.local.

TEST: Records registration (RReg)
Network Adapter [00000009] IBM Netfinity Fault Tolerance PCI Adapter:
Matching A record found at DNS server 10.0.0.1:
serv1.BUS1.local

Matching CNAME record found at DNS server 10.0.0.1:
3132fbf3-56ea-4f5e-bc59-4bbcf164b254._msdcs.BUS1.local

Matching DC SRV record found at DNS server 10.0.0.1:
_ldap._tcp.dc._msdcs.BUS1.local

Matching GC SRV record found at DNS server 10.0.0.1:
_ldap._tcp.gc._msdcs.BUS1.local

Matching PDC SRV record found at DNS server 10.0.0.1:
_ldap._tcp.pdc._msdcs.BUS1.local


Summary of test results for DNS servers used by the above domain controllers:
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
You have DNS problems, or other major issues...

Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 5
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 5
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 5
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 5
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 5
A KDC could not be located - All the KDCs are down.
......................... BUS1.local failed test FsmoCheck

We are going to need more info to help with this, but for now, it really looks like your AD is pretty goobered, and over a forum is going to be painfull. If you are unsure of how to setup FISMO roles with Active Directory, then please seek professional help. It's good to test your DRP, but you have to have an integrated understanding of AD/DNS, etc and make sure you build your test enviroment correctly
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Looks like you are using SBS, which may be why you are having issues. With SBS in the environment, you can have other DCs, but only the SBS server can hold the FSMO roles.