I just started a new job, and inherited a problem with a child domain server. This Server 2012 server is the only domain controller for this child domain. I can't add another domain controller because the child domain server is not replicating to the parent domain, and DCDIAG shows that the "SERVER has not finished promoting to be a GC." It would appear there is no global catalog in the child domain available to show the computer account. It doesn’t matter if I add the NEW server to the domain before I start the AD Wizard or not. In both cases the Wizard fails with the error, "The operation failed because: A domain controller could not be contacted for the domain XXXX that contained an account for this computer. Make the computer a member of a workgroup and then rejoin the domain before trying the promotion. Access is denied." I've done this a couple of times but it doesn't make a difference.
I even tried to install from media, but I get the same error. I can't delete the domain and recreate it because it has lots of client computers.
I'm not sure what started it all, but one likely candidate is that the C: drive was full when I got here. I added a second disk and moved the TEMP and page files to D:, and cleaned up a bit so now there is 5.6GB free.
There are lots of things going on, and I keep going in circles. I need a completed global catalog on this server so I can add another domain controller. That would allow me to demote this server and re-promote it which would hopefully fix all the errors I'm having. But until I can get at least the global catalog working, I'm stumped.
I can't connect to the CHILD domain in AD Users and Computers. I get this error:
- The domain CHILD could not be found because: The server is not operational
I checked the firewall and is SAYS that all the ports are open between the two domains. I can telnet between the CHILD and PARENT domain on all the Replication ports required, at least those that work between the PARENT controllers that are replicating properly (I get no response on ports 138 or 3268 on any of my domain controllers).
DCDIAG says:
C:\Users\Administrator>dcdiag | more
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = CHILDSERVER
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\CHILDSERVER
Starting test: Connectivity
......................... CHILDSERVER passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\CHILDSERVER
Starting test: Advertising
Warning: CHILDSERVER has not finished promoting to be a GC.
Check the event log for domains that cannot be replicated.
Warning: CHILDSERVER is not advertising as a global catalog.
Check that server finished GC promotion.
Check the event log on server that enough source replicas for the GC are available.
......................... CHILDSERVER failed test Advertising
Starting test: FrsEvent
......................... CHILDSERVER passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
Group Policy problems. Failing SYSVOL replication problems may cause
......................... CHILDSERVER failed test DFSREvent
Starting test: SysVolCheck
......................... CHILDSERVER passed test SysVolCheck
Starting test: KccEvent
(NOTE: DUPLICATE EVENTS NOT SHOWN)
* An error event occurred. EventID: 0xC000066D
Time Generated: 09/24/2014 13:23:42
Event String:
Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
* A warning event occurred. EventID: 0x80000677
Time Generated: 09/24/2014 13:23:42
Event String:
Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful.
* An error event occurred. EventID: 0xC0000466
Time Generated: 09/24/2014 13:23:42
Event String:
Active Directory Domain Services was unable to establish a connection with the global catalog.
* A warning event occurred. EventID: 0x80000785
Time Generated: 09/24/2014 13:24:06
Event String:
The attempt to establish a replication link for the following writable directory partition failed.
* A warning event occurred. EventID: 0x80000785
Time Generated: 09/24/2014 13:24:06
Event String:
The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
* An event occurred. EventID: 0x40000617
Time Generated: 09/24/2014 13:32:24
Event String:
The local domain controller has been selected to be a global catalog . However, the domain controller does not host a read-only replica of the following directory partition.
An event occurred. EventID: 0x40000617
Time Generated: 09/24/2014 13:32:24
* An event occurred. EventID: 0x4000062A
Time Generated: 09/24/2014 13:32:24
Event String:
Promotion of the local domain controller to a global catalog has been delayed because the directory partition occupancy requirements have not been met. The occupancy requirement level and current domain controller level are as follows.
* An event occurred. EventID: 0x40000456
Time Generated: 09/24/2014 13:32:24
Event String:
Promotion of this domain controller to a global catalog will be delayed for the following interval.
......................... CHILDSERVER failed test KccEvent
Starting test: KnowsOfRoleHolders
[PARENT1] DsBindWithSpnEx() failed with error 5,
Access is denied..
Warning: PARENT1 is the Schema Owner, but is not responding to DS RPC Bind.
[PARENT1] LDAP bind failed with error 1326,
The user name or password is incorrect..
Bind.ng: PARENT1 is the Schema Owner, but is not responding to LDAP
Warning: PARENT1 is the Domain Owner, but is not responding to DS RPC Bind.
Bind.ng: PARENT1 is the Domain Owner, but is not responding to LDAP
......................... CHILDSERVER failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... CHILDSERVER passed test MachineAccount
Starting test: NCSecDesc
......................... CHILDSERVER passed test NCSecDesc
Starting test: NetLogons
......................... CHILDSERVER passed test NetLogons
Starting test: ObjectsReplicated
......................... CHILDSERVER passed test ObjectsReplicated
Starting test: Replications
[Replications Check,CHILDSERVER] A recent replication attempt failed:
From PARENT2 to CHILDSERVER
Naming Context: DC=ForestDnsZones,DC=cee-w,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2014-09-24 13:02:23.
The last success occurred at 2014-01-18 20:49:14.
5935 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
[PARENT2] DsBindWithSpnEx() failed with error 5,
Access is denied..
[Replications Check,CHILDSERVER] A recent replication attempt failed:
From PARENT2 to CHILDSERVER
Naming Context: CN=Schema,CN=Configuration,DC=cee-w,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2014-09-24 13:02:23.
The last success occurred at 2014-01-18 20:49:14.
5935 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
[Replications Check,CHILDSERVER] A recent replication attempt failed:
From PARENT2 to CHILDSERVER
Naming Context: CN=Configuration,DC=cee-w,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2014-09-24 13:02:23.
The last success occurred at 2014-01-18 20:49:13.
5942 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
......................... CHILDSERVER failed test Replications
Starting test: RidManager
......................... CHILDSERVER passed test RidManager
Starting test: Services
......................... CHILDSERVER passed test Services
Starting test: SystemLog
* An error event occurred. EventID: 0xC00038D6
Time Generated: 09/24/2014 12:59:25
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
* A warning event occurred. EventID: 0x000727A5
Time Generated: 09/24/2014 13:01:03
Event String:
The WinRM service is not listening for WS-Management requests.
* An error event occurred. EventID: 0xC0FF05DC
Time Generated: 09/24/2014 13:02:03
Event String:
The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.
* A warning event occurred. EventID: 0x00001796
Time Generated: 09/24/2014 13:02:23
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:02:28
Event String:
The dynamic registration of the DNS record 'CHILD-DOMAIN.DOMAIN.NET. 600 IN A 192.168.215.15' failed on the following DNS server:
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:02:30
Event String:
The dynamic registration of the DNS record '_ldap._tcp.CHILD-DOMAIN.DOMAIN.NET.
600 IN SRV 0 100 389 CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:02:32
Event String:
The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-
66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
* An error event occurred. EventID: 0x00000457
Time Generated: 09/24/2014 13:04:08
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
* A warning event occurred. EventID: 0x000727AA
Time Generated: 09/24/2014 13:04:30
Event String:
The WinRM service failed to create the following SPNs: WSMAN/CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET; WSMAN/CHILDSERVER.
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:07:32
Event String:
The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
* An error event occurred. EventID: 0x0000168F
Time Generated: 09/24/2014 13:17:32
Event String:
The dynamic deletion of the DNS record '_gc._tcp.DOMAIN.NET. 600 IN SRV 0 100 3268 CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
* An error event occurred. EventID: 0x0000168F
Time Generated: 09/24/2014 13:17:32
Event String:
The dynamic deletion of the DNS record '_gc._tcp.Default-First-Site-Name._sites.DOMAIN.NET. 600 IN SRV 0 100 3268 CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on
the following DNS server:
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:17:34
Event String:
The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
* An error event occurred. EventID: 0x0000168E
* An error event occurred. EventID: 0x0000168E
Time Generated: 09/24/2014 13:37:36
Event String:
The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
......................... CHILDSERVER failed test SystemLog
Starting test: VerifyReferences
......................... CHILDSERVER passed test VerifyReferences
Running partition tests on : CHILD-DOMAIN
Starting test: CheckSDRefDom
......................... CHILD-DOMAIN passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... CHILD-DOMAIN passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running enterprise tests on : DOMAIN.NET
Starting test: LocatorCheck
......................... DOMAIN.NET passed test LocatorCheck
Starting test: Intersite
The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
......................... CHILDSERVER failed test SystemLog
Starting test: VerifyReferences
......................... CHILDSERVER passed test VerifyReferences
Running partition tests on : CHILD-DOMAIN
Starting test: CheckSDRefDom
......................... CHILD-DOMAIN passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... CHILD-DOMAIN passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running enterprise tests on : DOMAIN.NET
Starting test: LocatorCheck
......................... DOMAIN.NET passed test LocatorCheck
Starting test: Intersite
......................... DOMAIN.NET passed test Intersite
The DIRECTORY SERVICE ERROR LOG shows:
* Event ID: 1126. Active Directory Domain Services was unable to establish a connection with the global catalog. Error value: 1355 The specified domain either does not exist or could not be contacted.
* Event ID: 1126. Active Directory Domain Services was unable to establish a connection with the global catalog. Error value: 8430 The directory service encountered an internal failure.
* Event ID: 1655. Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful. Global catalog: \\PARENT4.DOMAIN.NET The operation in progress might be unable to continue. Active Directory Domain Services will use the domain controller locator to try to find an available global catalog server.
* Event ID: 1645. Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
* Event ID: 1869. Active Directory Domain Services has located a global catalog in the following site. Global catalog: \\PARENT4.DOMAIN.NET
* Event ID: 1645. Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
Destination directory server:
\\PARENT3.DOMAIN.NET
SPN:
GC/PARENT3.DOMAIN.NET/DOMAIN.NET@DOMAIN.NET
The ACTIVE DIRECTORY ERROR LOG shows:
* Event ID: 1202. This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.
The DNS SERVER ERROR LOG shows:
* Event ID: 4512. The DNS server was unable to create the built-in directory partition DomainDnsZones.CHILD-DOMAIN.DOMAIN.NET. The error was 9571.
* Event ID: 4013. The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
The WINDOWS SYSTEM ERROR LOG shows:
* Event ID: 5774. The dynamic registration of the DNS record '40b4b99e-4e62-42ee-aa39-66d69b66660f._msdcs.DOMAIN.NET. 600 IN CNAME CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
DNS server IP address: 172.20.200.170
Returned Response Code (RCODE): 5
Returned Status Code: 9017
* Event ID: 5775. The dynamic deletion of the DNS record '_gc._tcp.Default-First-Site-Name._sites.DOMAIN.NET. 600 IN SRV 0 100 3268 CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
DNS server IP address: 172.21.24.16
Returned Response Code (RCODE): 5
Returned Status Code: 9017
* Event ID: 5775.
The dynamic deletion of the DNS record '_gc._tcp.DOMAIN.NET. 600 IN SRV 0 100 3268 CHILDSERVER.CHILD-DOMAIN.DOMAIN.NET.' failed on the following DNS server:
DNS server IP address: 172.21.24.16
Returned Response Code (RCODE): 5
Returned Status Code: 9017
I don’t' see any DFS REPLICATION ERROR LOG entries, although I had to reinitialize replication after I freed up disk space.
REPADMIN /REPLSUMMARY shows:
C:\Users\Administrator>repadmin /replsummary
Replication Summary Start Time: 2014-09-24 14:26:44
Beginning data collection for replication summary, this may take awhile:
.........
Source DSA largest delta fails/total %% error
PARENT2 >60 days 3 / 3 100 (5) Access is denied.
Destination DSA largest delta fails/total %% error
CHILDSERVER >60 days 3 / 3 100 (5) Access is denied.
Experienced the following operational errors trying to retrieve replication information:
1326 – PARENT1.DOMAIN.NET
1326 – PARENT2.DOMAIN.NET
1326 – PARENT3.DOMAIN.NET
1326 – PARENT4.DOMAIN.NET
58 - 81cd2013-357e-40ed-a006-e6546fc6735f._msdcs.DOMAIN.NET
C:\Users\Administrator>
I looked at the SPDs on each domain controller, but there is no mingling of SPDs between PARENT and FOREST domain. I'm not sure if there should be. PARENT1 through PARENT2 contain references to each other, but none to CHILDSERVER, and vice-versa. I tried running SETSPD –A per the KB article the ERROR LOG reference said, but it fails because the computer accounts cannot be identified across the PARENT/CHILD domain boundary.
I know this is a permissions or replication issue, but I just don't know where to start. Can anyone help?
Thanks, Jack