I am getting the following error on bootup on a new DC I've promoted and moved all the FSMO roles to, funny thing is I can ping this "failing dns host name" and it resolves correctly to the old DC that is still online and functional. No changes
have been made to the name, ip or anything other than having its FSMO roles moved to the new DC and having it's GC unchecked, and then eventually checked again to make it a GC after I had some problems (detailed later):
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest.
Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
oldserver
Failing DNS host name:
cf67bfb1-d468-47de-9b4e-b129d36ef406._msdcs.domain.com
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined
in MSKB article 216498.
2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:
http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested type was found.
I get the above error, then:
All problems preventing updates to the Active Directory Database have been cleared. New updates to the Active Directory database are succeeding. The Net Logon service has restarted.
Then a few minutes later:
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains
the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Schema,CN=Configuration,DC=domain,DC=com
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize
may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command
repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or
a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password
resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their
target object is moved or renamed.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
dcdiag completes successfully using the old and new dc as targets, repadmin /showrepl shows all successful, dcdiag /knowsofroleholders states all roles are held by the new DC. Do I need to fix this DNS issue for the schema role to be validated? Is that the root of my problems?
Thanks for any help.
A little backstory:
I have an old 2003 32 bit server with sp2, not sure how much it's patched beyond that. I've installed and promoted a new 2003 r2 x64 server (sp2 and fully patched), transferred all fsmo roles and made it the GC, unchecked GC on the old server, and while the old dc's nic was unplugged (for testing), I wasn't able to resolve names (check name) when adding only new clients (creating a new outlook profile) to exchange 2007, existing clients connected fine and all other network resources seemed to function correctly. I thought exchange wasn't finding the new GC, even after multiple reboots, dcdiag came back clean, etc. I posted in the exchange forum and after some talking they think it's an AD issue. I've since made the old DC a global catalog again to fix the check name issue I was having, but I still need to resolve this and demote the old server.