> I've got a Windows 2008 box that was my only DC in my test network
> that is on some rather aged hardware.  I've built a new box to replace
> the old DC with, installed Server 2008 on it, added it to the domain,
> ran dcpromo, kicked it up to a GC, and transfered the FSMO roles over
> to it.  However, when I run dcpromo on the old box that I'm wanting to
> retire, I get the following message:
>
> "You did not indicate that this Active Directory domain controller is
> the last domain controller for the domain test.dns. However, no other
> Active Directory domain controllers for that domain can be contacted."
>
> I've also noticed that when the old box is powered down, none of my
> test workstations can map a drive to the new server, due to an
> authentication failure.  The ID that the server is logged into is an
> enterprise admin ID, and this is a single domain setup (no child
> domains in the forrest).  Both the forrest and the domain are at 2008
> functional level.  Each server has DNS installed and is AD Integrated.
> Each server points to the other for DNS primary, and itself for
> secondary.
>
> I'm sure there is more information that is needed that I haven't
> provided, just let me know what you need and I'll post it, but if
> anyone can help me out, I'd really like to learn what this issue is
> and how to fix it.
>

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Run diagnostics dcdiag /v and repadmin /showrepl to check for errors and
> make sure both DCs have replicated. Are both listed in the DNS zones with
> there A record and nema server record and also under all subfolders?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I've got a Windows 2008 box that was my only DC in my test network
> > that is on some rather aged hardware.  I've built a new box to replace
> > the old DC with, installed Server 2008 on it, added it to the domain,
> > ran dcpromo, kicked it up to a GC, and transfered the FSMO roles over
> > to it.  However, when I run dcpromo on the old box that I'm wanting to
> > retire, I get the following message:
> >
> > "You did not indicate that this Active Directory domain controller is
> > the last domain controller for the domain test.dns. However, no other
> > Active Directory domain controllers for that domain can be contacted."
> >
> > I've also noticed that when the old box is powered down, none of my
> > test workstations can map a drive to the new server, due to an
> > authentication failure.  The ID that the server is logged into is an
> > enterprise admin ID, and this is a single domain setup (no child
> > domains in the forrest).  Both the forrest and the domain are at 2008
> > functional level.  Each server has DNS installed and is AD Integrated.
> > Each server points to the other for DNS primary, and itself for
> > secondary.
> >
> > I'm sure there is more information that is needed that I haven't
> > provided, just let me know what you need and I'll post it, but if
> > anyone can help me out, I'd really like to learn what this issue is
> > and how to fix it.
> >
>
>
>

> dcdiag from server2, which is the new one:
>
> Directory Server Diagnosis
>
> Performing initial setup:
>
> Trying to find home server...
>
> * Verifying that the local machine server2, is a Directory Server.
> Home Server = server2
> * Connecting to directory service on server server2.
>
> * Identified AD Forest.
> Collecting AD specific global data
> * Collecting site info.
> Calling
> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> The previous call succeeded
> Iterating through the sites
> Looking at base site object: CN=NTDS Site
> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domai
> n,DC=dns
> Getting ISTG and options for the site
> * Identifying all servers.
> Calling
> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> The previous call succeeded....
> The previous call succeeded
> Iterating through the list of servers
> Getting information for the server CN=NTDS
> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> objectGuid obtained
> InvocationID obtained
> dnsHostname obtained
> site info obtained
> All the info for the server collected
> Getting information for the server CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> objectGuid obtained
> InvocationID obtained
> dnsHostname obtained
> site info obtained
> All the info for the server collected
> * Identifying all NC cross-refs.
> * Found 2 DC(s). Testing 1 of them.
>
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\server2
>
> Starting test: Connectivity
>
> * Active Directory LDAP Services Check
> Determining IP4 connectivity
> Determining IP6 connectivity
> * Active Directory RPC Services Check
> ......................... server2 passed test Connectivity
> Doing primary tests
>
> Testing server: Default-First-Site-Name\server2
>
> Starting test: Advertising
>
> Warning: DsGetDcName returned information for
>
> \\server1.domain.dns, when we were trying to reach server2.
>
> SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
>
> ......................... server2 failed test Advertising
>
> Test omitted by user request: CheckSecurityError
>
> Test omitted by user request: CutoffServers
>
> Starting test: FrsEvent
>
> * The File Replication Service Event log test
> There are warning or error events within the last 24 hours
> after the
> SYSVOL has been shared.  Failing SYSVOL replication problems
> may cause
>
> Group Policy problems.
> An Warning Event occurred.  EventID: 0x800034C4
> Time Generated: 07/04/2009   19:53:44
>
> Event String:
>
> The File Replication Service is having trouble enabling
> replication from server1.domain.dns to server2 for
> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> will keep retrying.
>
> Following are some of the reasons you would see this
> warning.
>
> [1] FRS can not correctly resolve the DNS name
> server1.domain.dns from this computer.
>
> [2] FRS is not running on server1.domain.dns.
>
> [3] The topology information in the Active Directory
> Domain Services for this replica has not yet replicated to all the
> Domain Controllers.
>
> This event log message will appear once per connection,
> After the problem is fixed you will see another event log message
> indicating that the connection has been established.
>
> An Warning Event occurred.  EventID: 0x800034FE
>
> Time Generated: 07/05/2009   17:59:10
>
> Event String:
>
> File Replication Service is scanning the data in the
> system volume. Computer server2 cannot become a domain controller
> until this process is complete. The system volume will then be shared
> as SYSVOL.
>
> To check for the SYSVOL share, at the command prompt,
> type:
>
> net share
>
> When File Replication Service completes the scanning
> process, the SYSVOL share will appear.
>
> The initialization of the system volume can take some
> time. The time is dependent on the amount of data in the system
> volume.
>
> An Warning Event occurred.  EventID: 0x800034C4
>
> Time Generated: 07/05/2009   18:02:00
>
> Event String:
>
> The File Replication Service is having trouble enabling
> replication from server1.domain.dns to server2 for
> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> will keep retrying.
>
> Following are some of the reasons you would see this
> warning.
>
> [1] FRS can not correctly resolve the DNS name
> server1.domain.dns from this computer.
>
> [2] FRS is not running on server1.domain.dns.
>
> [3] The topology information in the Active Directory
> Domain Services for this replica has not yet replicated to all the
> Domain Controllers.
>
> This event log message will appear once per connection,
> After the problem is fixed you will see another event log message
> indicating that the connection has been established.
>
> An Warning Event occurred.  EventID: 0x800034FE
>
> Time Generated: 07/05/2009   18:08:29
>
> Event String:
>
> File Replication Service is scanning the data in the
> system volume. Computer server2 cannot become a domain controller
> until this process is complete. The system volume will then be shared
> as SYSVOL.
>
> To check for the SYSVOL share, at the command prompt,
> type:
>
> net share
>
> When File Replication Service completes the scanning
> process, the SYSVOL share will appear.
>
> The initialization of the system volume can take some
> time. The time is dependent on the amount of data in the system
> volume.
>
> An Warning Event occurred.  EventID: 0x800034C4
>
> Time Generated: 07/05/2009   18:10:22
>
> Event String:
>
> The File Replication Service is having trouble enabling
> replication from server1.domain.dns to server2 for
> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> will keep retrying.
>
> Following are some of the reasons you would see this
> warning.
>
> [1] FRS can not correctly resolve the DNS name
> server1.domain.dns from this computer.
>
> [2] FRS is not running on server1.domain.dns.
>
> [3] The topology information in the Active Directory
> Domain Services for this replica has not yet replicated to all the
> Domain Controllers.
>
> This event log message will appear once per connection,
> After the problem is fixed you will see another event log message
> indicating that the connection has been established.
>
> An Warning Event occurred.  EventID: 0x800034C4
>
> Time Generated: 07/05/2009   18:18:22
>
> Event String:
>
> The File Replication Service is having trouble enabling
> replication from server1 to server2 for c:\windows\sysvol\domain using
> the DNS name server1.domain.dns. FRS will keep retrying.
>
> Following are some of the reasons you would see this
> warning.
>
> [1] FRS can not correctly resolve the DNS name
> server1.domain.dns from this computer.
>
> [2] FRS is not running on server1.domain.dns.
>
> [3] The topology information in the Active Directory
> Domain Services for this replica has not yet replicated to all the
> Domain Controllers.
>
> This event log message will appear once per connection,
> After the problem is fixed you will see another event log message
> indicating that the connection has been established.
>
> ......................... server2 passed test FrsEvent
>
> Starting test: DFSREvent
>
> The DFS Replication Event Log.
> There are warning or error events within the last 24 hours
> after the
> SYSVOL has been shared.  Failing SYSVOL replication problems
> may cause
>
> Group Policy problems.
> An Error Event occurred.  EventID: 0xC00004B2
> Time Generated: 07/05/2009   17:59:35
>
> Event String:
>
> The DFS Replication service failed to contact domain
> controller  to access configuration information. Replication is
> stopped. The service will try again during the next configuration
> polling cycle, which will occur in 60 minutes. This event can be
> caused by TCP/IP connectivity, firewall, Active Directory Domain
> Services, or DNS issues.
>
> Additional Information:
>
> Error: 160 (One or more arguments are not correct.)
>
> ......................... server2 failed test DFSREvent
>
> Starting test: SysVolCheck
>
> * The File Replication Service SYSVOL ready test
> The registry lookup failed to determine the state of the
> SYSVOL.  The
> error returned  was 0x0 "The operation completed
> successfully.".
>
> Check the FRS event log to see if the SYSVOL has successfully
> been
>
> shared.
> ......................... server2 passed test SysVolCheck
> Starting test: KccEvent
>
> * The KCC Event log test
> Found no KCC errors in "Directory Service" Event log in the
> last 15
> minutes.
> ......................... server2 passed test KccEvent
> Starting test: KnowsOfRoleHolders
>
> Role Schema Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Domain Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> Role PDC Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Rid Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Infrastructure Update Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> ......................... server2 passed test
> KnowsOfRoleHolders
> Starting test: MachineAccount
>
> Checking machine account for DC server2 on DC server2.
> * SPN found :LDAP/server2.domain.dns/domain.dns
> * SPN found :LDAP/server2.domain.dns
> * SPN found :LDAP/server2
> * SPN found :LDAP/server2.domain.dns/domain
> * SPN found
> :LDAP/d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/d963b078-1f27-4154-8436-870d1993
> 5efe/domain.dns
> * SPN found :HOST/server2.domain.dns/domain.dns
> * SPN found :HOST/server2.domain.dns
> * SPN found :HOST/server2
> * SPN found :HOST/server2.domain.dns/domain
> * SPN found :GC/server2.domain.dns/domain.dns
> ......................... server2 passed test MachineAccount
> Starting test: NCSecDesc
>
> * Security Permissions check for all NC's on DC server2.
> The forest is not ready for RODC. Will skip checking ERODC
> ACEs.
> * Security Permissions Check for
> DC=ForestDnsZones,DC=domain,DC=dns
> (NDNC,Version 3)
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
> Replicating Directory Changes In Filtered Set
> access rights for the naming context:
> DC=ForestDnsZones,DC=domain,DC=dns
> * Security Permissions Check for
> DC=DomainDnsZones,DC=domain,DC=dns
> (NDNC,Version 3)
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
> Replicating Directory Changes In Filtered Set
> access rights for the naming context:
> DC=DomainDnsZones,DC=domain,DC=dns
> * Security Permissions Check for
> CN=Schema,CN=Configuration,DC=domain,DC=dns
> (Schema,Version 3)
> * Security Permissions Check for
> CN=Configuration,DC=domain,DC=dns
> (Configuration,Version 3)
> * Security Permissions Check for
> DC=domain,DC=dns
> (Domain,Version 3)
> ......................... server2 failed test NCSecDesc
> Starting test: NetLogons
>
> * Network Logons Privileges Check
> Unable to connect to the NETLOGON share! (\\server2\netlogon)
> [server2] An net use or LsaPolicy operation failed with error
> 67,
>
> The network name cannot be found..
>
> ......................... server2 failed test NetLogons
>
> Starting test: ObjectsReplicated
>
> server2 is in domain DC=domain,DC=dns
> Checking for CN=server2,OU=Domain
> Controllers,DC=domain,DC=dns in
> domain DC=domain,DC=dns on 1 servers
> Object is up-to-date on all servers.
> Checking for CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> in domain CN=Configuration,DC=domain,DC=dns on 1 servers
> Object is up-to-date on all servers.
> ......................... server2 passed test
> ObjectsReplicated
> Test omitted by user request: OutboundSecureChannels
>
> Starting test: Replications
>
> * Replications Check
> * Replication Latency Check
> DC=ForestDnsZones,DC=domain,DC=dns
> Latency information for 8 entries in the vector were
> ignored.
> 8 were retired Invocations.  0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc.  0 had no latency information (Win2K DC).
> DC=DomainDnsZones,DC=domain,DC=dns
> Latency information for 8 entries in the vector were
> ignored.
> 8 were retired Invocations.  0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc.  0 had no latency information (Win2K DC).
> CN=Schema,CN=Configuration,DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations.  0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc.  0 had no latency information (Win2K DC).
> CN=Configuration,DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations.  0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc.  0 had no latency information (Win2K DC).
> DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations.  0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc.  0 had no latency information (Win2K DC).
> ......................... server2 passed test Replications
> Starting test: RidManager
>
> * Available RID Pool for the Domain is 16606 to 1073741823
> * server2.domain.dns is the RID Master
> * DsBind with RID Master was successful
> * rIDAllocationPool is 16106 to 16605
> * rIDPreviousAllocationPool is 16106 to 16605
> * rIDNextRID: 16106
> ......................... server2 passed test RidManager
> Starting test: Services
>
> * Checking Service: EventSystem
> * Checking Service: RpcSs
> * Checking Service: NTDS
> * Checking Service: DnsCache
> * Checking Service: DFSR
> * Checking Service: IsmServ
> * Checking Service: kdc
> * Checking Service: SamSs
> * Checking Service: LanmanServer
> * Checking Service: LanmanWorkstation
> * Checking Service: w32time
> * Checking Service: NETLOGON
> ......................... server2 passed test Services
> Starting test: SystemLog
>
> * The System Event log test
> An Warning Event occurred.  EventID: 0x8000001D
> Time Generated: 07/05/2009   17:58:50
>
> Event String:
>
> The Key Distribution Center (KDC) cannot find a suitable
> certificate to use for smart card logons, or the KDC certificate could
> not be verified. Smart card logon may not function correctly if this
> problem is not resolved. To correct this problem, either verify the
> existing KDC certificate using certutil.exe or enroll for a new KDC
> certificate.
>
> An Error Event occurred.  EventID: 0xC0001B72
>
> Time Generated: 07/05/2009   18:08:40
>
> Event String:
>
> The following boot-start or system-start driver(s) failed
> to load:
>
> storflt
>
> superbmc
>
> An Warning Event occurred.  EventID: 0x00002724
>
> Time Generated: 07/05/2009   18:19:30
>
> Event String:
>
> This computer has at least one dynamically assigned IPv6
> address.For reliable DHCPv6 server operation, you should use only
> static IPv6 addresses.
>
> ......................... server2 failed test SystemLog
>
> Test omitted by user request: Topology
>
> Test omitted by user request: VerifyEnterpriseReferences
>
> Starting test: VerifyReferences
>
> The system object reference (serverReference)
>
> CN=server2,OU=Domain Controllers,DC=domain,DC=dns and
> backlink on
>
> CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configura
> tion,DC=domain,DC=dns
>
> are correct.
> The system object reference (serverReferenceBL)
> CN=server2,CN=Domain System Volume (SYSVOL share),CN=File
> Replication Service,CN=System,DC=domain,DC=dns
>
> and backlink on
>
> CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
>
> are correct.
> ......................... server2 passed test
> VerifyReferences
> Test omitted by user request: VerifyReplicas
>
> Test omitted by user request: DNS
>
> Test omitted by user request: DNS
>
> Running partition tests on : ForestDnsZones
>
> Starting test: CheckSDRefDom
>
> ......................... ForestDnsZones passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... ForestDnsZones passed test
>
> CrossRefValidation
>
> Running partition tests on : DomainDnsZones
>
> Starting test: CheckSDRefDom
>
> ......................... DomainDnsZones passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... DomainDnsZones passed test
>
> CrossRefValidation
>
> Running partition tests on : Schema
>
> Starting test: CheckSDRefDom
>
> ......................... Schema passed test CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... Schema passed test
> CrossRefValidation
>
> Running partition tests on : Configuration
>
> Starting test: CheckSDRefDom
>
> ......................... Configuration passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... Configuration passed test
> CrossRefValidation
>
> Running partition tests on : domain
>
> Starting test: CheckSDRefDom
>
> ......................... domain passed test CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... domain passed test
> CrossRefValidation
>
> Running enterprise tests on : domain.dns
>
> Test omitted by user request: DNS
>
> Test omitted by user request: DNS
>
> Starting test: LocatorCheck
>
> GC Name: \\server1.domain.dns
>
> Locator Flags: 0xe00011fc
> PDC Name: \\server2.domain.dns
> Locator Flags: 0xe00013fd
> Time Server Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> Preferred Time Server Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> KDC Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> ......................... domain.dns passed test LocatorCheck
> Starting test: Intersite
>
> Skipping site Default-First-Site-Name, this site is outside
> the scope
>
> provided by the command line arguments provided.
> ......................... domain.dns passed test Intersite
> repadmin /showrepl from server2:
>
> Repadmin: running command /showrepl against full DC localhost
>
> Default-First-Site-Name\server2
>
> DSA Options: IS_GC
>
> Site Options: (none)
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> DSA invocationID: 08e803de-61a0-4db8-bd91-8fdbfa816035
>
> ==== INBOUND NEIGHBORS ======================================
>
> DC=domain,DC=dns
>
> Default-First-Site-Name\server1 via RPC
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> Last attempt @ 2009-07-05 18:11:12 was successful.
>
> CN=Configuration,DC=domain,DC=dns
>
> Default-First-Site-Name\server1 via RPC
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> Last attempt @ 2009-07-05 18:08:23 was successful.
>
> CN=Schema,CN=Configuration,DC=domain,DC=dns
>
> Default-First-Site-Name\server1 via RPC
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> Last attempt @ 2009-07-05 18:08:23 was successful.
>
> DC=DomainDnsZones,DC=domain,DC=dns
>
> Default-First-Site-Name\server1 via RPC
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> Last attempt @ 2009-07-05 18:08:24 was successful.
>
> DC=ForestDnsZones,DC=domain,DC=dns
>
> Default-First-Site-Name\server1 via RPC
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> Last attempt @ 2009-07-05 18:28:46 was successful.
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Run diagnostics dcdiag /v and repadmin /showrepl to check for errors
>> and make sure both DCs have replicated. Are both listed in the DNS
>> zones with there A record and nema server record and also under all
>> subfolders?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I've got a Windows 2008 box that was my only DC in my test network
>>> that is on some rather aged hardware.  I've built a new box to
>>> replace the old DC with, installed Server 2008 on it, added it to
>>> the domain, ran dcpromo, kicked it up to a GC, and transfered the
>>> FSMO roles over to it.  However, when I run dcpromo on the old box
>>> that I'm wanting to retire, I get the following message:
>>>
>>> "You did not indicate that this Active Directory domain controller
>>> is the last domain controller for the domain test.dns. However, no
>>> other Active Directory domain controllers for that domain can be
>>> contacted."
>>>
>>> I've also noticed that when the old box is powered down, none of my
>>> test workstations can map a drive to the new server, due to an
>>> authentication failure.  The ID that the server is logged into is an
>>> enterprise admin ID, and this is a single domain setup (no child
>>> domains in the forrest).  Both the forrest and the domain are at
>>> 2008 functional level.  Each server has DNS installed and is AD
>>> Integrated. Each server points to the other for DNS primary, and
>>> itself for secondary.
>>>
>>> I'm sure there is more information that is needed that I haven't
>>> provided, just let me know what you need and I'll post it, but if
>>> anyone can help me out, I'd really like to learn what this issue is
>>> and how to fix it.
>>>

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Can you open and compare sysvol and netlogon share on both DCs?
>
> Please ping between both DCs with ipaddress, computername and FQDN.
>
> Any firewall running between them?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > dcdiag from server2, which is the new one:
> >
> > Directory Server Diagnosis
> >
> > Performing initial setup:
> >
> > Trying to find home server...
> >
> > * Verifying that the local machine server2, is a Directory Server.
> > Home Server = server2
> > * Connecting to directory service on server server2.
> >
> > * Identified AD Forest.
> > Collecting AD specific global data
> > * Collecting site info.
> > Calling
> > ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
> > DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> > The previous call succeeded
> > Iterating through the sites
> > Looking at base site object: CN=NTDS Site
> > Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domai
> > n,DC=dns
> > Getting ISTG and options for the site
> > * Identifying all servers.
> > Calling
> > ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
> > DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> > The previous call succeeded....
> > The previous call succeeded
> > Iterating through the list of servers
> > Getting information for the server CN=NTDS
> > Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> > Configuration,DC=domain,DC=dns
> > objectGuid obtained
> > InvocationID obtained
> > dnsHostname obtained
> > site info obtained
> > All the info for the server collected
> > Getting information for the server CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> > Configuration,DC=domain,DC=dns
> > objectGuid obtained
> > InvocationID obtained
> > dnsHostname obtained
> > site info obtained
> > All the info for the server collected
> > * Identifying all NC cross-refs.
> > * Found 2 DC(s). Testing 1 of them.
> >
> > Done gathering initial info.
> >
> > Doing initial required tests
> >
> > Testing server: Default-First-Site-Name\server2
> >
> > Starting test: Connectivity
> >
> > * Active Directory LDAP Services Check
> > Determining IP4 connectivity
> > Determining IP6 connectivity
> > * Active Directory RPC Services Check
> > ......................... server2 passed test Connectivity
> > Doing primary tests
> >
> > Testing server: Default-First-Site-Name\server2
> >
> > Starting test: Advertising
> >
> > Warning: DsGetDcName returned information for
> >
> > \\server1.domain.dns, when we were trying to reach server2.
> >
> > SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
> >
> > ......................... server2 failed test Advertising
> >
> > Test omitted by user request: CheckSecurityError
> >
> > Test omitted by user request: CutoffServers
> >
> > Starting test: FrsEvent
> >
> > * The File Replication Service Event log test
> > There are warning or error events within the last 24 hours
> > after the
> > SYSVOL has been shared.  Failing SYSVOL replication problems
> > may cause
> >
> > Group Policy problems.
> > An Warning Event occurred.  EventID: 0x800034C4
> > Time Generated: 07/04/2009   19:53:44
> >
> > Event String:
> >
> > The File Replication Service is having trouble enabling
> > replication from server1.domain.dns to server2 for
> > c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> > will keep retrying.
> >
> > Following are some of the reasons you would see this
> > warning.
> >
> > [1] FRS can not correctly resolve the DNS name
> > server1.domain.dns from this computer.
> >
> > [2] FRS is not running on server1.domain.dns.
> >
> > [3] The topology information in the Active Directory
> > Domain Services for this replica has not yet replicated to all the
> > Domain Controllers.
> >
> > This event log message will appear once per connection,
> > After the problem is fixed you will see another event log message
> > indicating that the connection has been established.
> >
> > An Warning Event occurred.  EventID: 0x800034FE
> >
> > Time Generated: 07/05/2009   17:59:10
> >
> > Event String:
> >
> > File Replication Service is scanning the data in the
> > system volume. Computer server2 cannot become a domain controller
> > until this process is complete. The system volume will then be shared
> > as SYSVOL.
> >
> > To check for the SYSVOL share, at the command prompt,
> > type:
> >
> > net share
> >
> > When File Replication Service completes the scanning
> > process, the SYSVOL share will appear.
> >
> > The initialization of the system volume can take some
> > time. The time is dependent on the amount of data in the system
> > volume.
> >
> > An Warning Event occurred.  EventID: 0x800034C4
> >
> > Time Generated: 07/05/2009   18:02:00
> >
> > Event String:
> >
> > The File Replication Service is having trouble enabling
> > replication from server1.domain.dns to server2 for
> > c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> > will keep retrying.
> >
> > Following are some of the reasons you would see this
> > warning.
> >
> > [1] FRS can not correctly resolve the DNS name
> > server1.domain.dns from this computer.
> >
> > [2] FRS is not running on server1.domain.dns.
> >
> > [3] The topology information in the Active Directory
> > Domain Services for this replica has not yet replicated to all the
> > Domain Controllers.
> >
> > This event log message will appear once per connection,
> > After the problem is fixed you will see another event log message
> > indicating that the connection has been established.
> >
> > An Warning Event occurred.  EventID: 0x800034FE
> >
> > Time Generated: 07/05/2009   18:08:29
> >
> > Event String:
> >
> > File Replication Service is scanning the data in the
> > system volume. Computer server2 cannot become a domain controller
> > until this process is complete. The system volume will then be shared
> > as SYSVOL.
> >
> > To check for the SYSVOL share, at the command prompt,
> > type:
> >
> > net share
> >
> > When File Replication Service completes the scanning
> > process, the SYSVOL share will appear.
> >
> > The initialization of the system volume can take some
> > time. The time is dependent on the amount of data in the system
> > volume.
> >
> > An Warning Event occurred.  EventID: 0x800034C4
> >
> > Time Generated: 07/05/2009   18:10:22
> >
> > Event String:
> >
> > The File Replication Service is having trouble enabling
> > replication from server1.domain.dns to server2 for
> > c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> > will keep retrying.
> >
> > Following are some of the reasons you would see this
> > warning.
> >
> > [1] FRS can not correctly resolve the DNS name
> > server1.domain.dns from this computer.
> >
> > [2] FRS is not running on server1.domain.dns.
> >
> > [3] The topology information in the Active Directory
> > Domain Services for this replica has not yet replicated to all the
> > Domain Controllers.
> >
> > This event log message will appear once per connection,
> > After the problem is fixed you will see another event log message
> > indicating that the connection has been established.
> >
> > An Warning Event occurred.  EventID: 0x800034C4
> >
> > Time Generated: 07/05/2009   18:18:22
> >
> > Event String:
> >
> > The File Replication Service is having trouble enabling
> > replication from server1 to server2 for c:\windows\sysvol\domain using
> > the DNS name server1.domain.dns. FRS will keep retrying.
> >
> > Following are some of the reasons you would see this
> > warning.
> >
> > [1] FRS can not correctly resolve the DNS name
> > server1.domain.dns from this computer.
> >
> > [2] FRS is not running on server1.domain.dns.
> >
> > [3] The topology information in the Active Directory
> > Domain Services for this replica has not yet replicated to all the
> > Domain Controllers.
> >
> > This event log message will appear once per connection,
> > After the problem is fixed you will see another event log message
> > indicating that the connection has been established.
> >
> > ......................... server2 passed test FrsEvent
> >
> > Starting test: DFSREvent
> >
> > The DFS Replication Event Log.
> > There are warning or error events within the last 24 hours
> > after the
> > SYSVOL has been shared.  Failing SYSVOL replication problems
> > may cause
> >
> > Group Policy problems.
> > An Error Event occurred.  EventID: 0xC00004B2
> > Time Generated: 07/05/2009   17:59:35
> >
> > Event String:
> >
> > The DFS Replication service failed to contact domain
> > controller  to access configuration information. Replication is
> > stopped. The service will try again during the next configuration
> > polling cycle, which will occur in 60 minutes. This event can be
> > caused by TCP/IP connectivity, firewall, Active Directory Domain
> > Services, or DNS issues.
> >
> > Additional Information:
> >
> > Error: 160 (One or more arguments are not correct.)
> >
> > ......................... server2 failed test DFSREvent
> >
> > Starting test: SysVolCheck
> >
> > * The File Replication Service SYSVOL ready test
> > The registry lookup failed to determine the state of the
> > SYSVOL.  The
> > error returned  was 0x0 "The operation completed
> > successfully.".
> >
> > Check the FRS event log to see if the SYSVOL has successfully
> > been
> >
> > shared.

> Server2 oddly enough doesn't have a sysvol or netlogon share, which
> could be an issue...  I noticed that when I initially setup the
> server, so I manually created them, but apparently they didn't
> "stick."
>
> Neither server has a firewall active on them.  Both are disabled.
>
> All pings are successful between both servers.
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Can you open and compare sysvol and netlogon share on both DCs?
>>
>> Please ping between both DCs with ipaddress, computername and FQDN.
>>
>> Any firewall running between them?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> dcdiag from server2, which is the new one:
>>>
>>> Directory Server Diagnosis
>>>
>>> Performing initial setup:
>>>
>>> Trying to find home server...
>>>
>>> * Verifying that the local machine server2, is a Directory Server.
>>> Home Server = server2
>>> * Connecting to directory service on server server2.
>>> * Identified AD Forest.
>>> Collecting AD specific global data
>>> * Collecting site info.
>>> Calling
>>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns
>>> ,L
>>> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
>>> The previous call succeeded
>>> Iterating through the sites
>>> Looking at base site object: CN=NTDS Site
>>> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom
>>> ai
>>> n,DC=dns
>>> Getting ISTG and options for the site
>>> * Identifying all servers.
>>> Calling
>>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns
>>> ,L
>>> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
>>> The previous call succeeded....
>>> The previous call succeeded
>>> Iterating through the list of servers
>>> Getting information for the server CN=NTDS
>>> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> objectGuid obtained
>>> InvocationID obtained
>>> dnsHostname obtained
>>> site info obtained
>>> All the info for the server collected
>>> Getting information for the server CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> objectGuid obtained
>>> InvocationID obtained
>>> dnsHostname obtained
>>> site info obtained
>>> All the info for the server collected
>>> * Identifying all NC cross-refs.
>>> * Found 2 DC(s). Testing 1 of them.
>>> Done gathering initial info.
>>>
>>> Doing initial required tests
>>>
>>> Testing server: Default-First-Site-Name\server2
>>>
>>> Starting test: Connectivity
>>>
>>> * Active Directory LDAP Services Check
>>> Determining IP4 connectivity
>>> Determining IP6 connectivity
>>> * Active Directory RPC Services Check
>>> ......................... server2 passed test Connectivity
>>> Doing primary tests
>>> Testing server: Default-First-Site-Name\server2
>>>
>>> Starting test: Advertising
>>>
>>> Warning: DsGetDcName returned information for
>>>
>>> \\server1.domain.dns, when we were trying to reach server2.
>>>
>>> SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
>>>
>>> ......................... server2 failed test Advertising
>>>
>>> Test omitted by user request: CheckSecurityError
>>>
>>> Test omitted by user request: CutoffServers
>>>
>>> Starting test: FrsEvent
>>>
>>> * The File Replication Service Event log test
>>> There are warning or error events within the last 24 hours
>>> after the
>>> SYSVOL has been shared.  Failing SYSVOL replication problems
>>> may cause
>>> Group Policy problems.
>>> An Warning Event occurred.  EventID: 0x800034C4
>>> Time Generated: 07/04/2009   19:53:44
>>> Event String:
>>>
>>> The File Replication Service is having trouble enabling
>>> replication from server1.domain.dns to server2 for
>>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
>>> will keep retrying.
>>> Following are some of the reasons you would see this warning.
>>>
>>> [1] FRS can not correctly resolve the DNS name
>>> server1.domain.dns from this computer.
>>> [2] FRS is not running on server1.domain.dns.
>>>
>>> [3] The topology information in the Active Directory
>>> Domain Services for this replica has not yet replicated to all the
>>> Domain Controllers.
>>> This event log message will appear once per connection,
>>> After the problem is fixed you will see another event log message
>>> indicating that the connection has been established.
>>> An Warning Event occurred.  EventID: 0x800034FE
>>>
>>> Time Generated: 07/05/2009   17:59:10
>>>
>>> Event String:
>>>
>>> File Replication Service is scanning the data in the
>>> system volume. Computer server2 cannot become a domain controller
>>> until this process is complete. The system volume will then be
>>> shared
>>> as SYSVOL.
>>> To check for the SYSVOL share, at the command prompt, type:
>>>
>>> net share
>>>
>>> When File Replication Service completes the scanning process, the
>>> SYSVOL share will appear.
>>>
>>> The initialization of the system volume can take some
>>> time. The time is dependent on the amount of data in the system
>>> volume.
>>> An Warning Event occurred.  EventID: 0x800034C4
>>>
>>> Time Generated: 07/05/2009   18:02:00
>>>
>>> Event String:
>>>
>>> The File Replication Service is having trouble enabling
>>> replication from server1.domain.dns to server2 for
>>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
>>> will keep retrying.
>>> Following are some of the reasons you would see this warning.
>>>
>>> [1] FRS can not correctly resolve the DNS name
>>> server1.domain.dns from this computer.
>>> [2] FRS is not running on server1.domain.dns.
>>>
>>> [3] The topology information in the Active Directory
>>> Domain Services for this replica has not yet replicated to all the
>>> Domain Controllers.
>>> This event log message will appear once per connection,
>>> After the problem is fixed you will see another event log message
>>> indicating that the connection has been established.
>>> An Warning Event occurred.  EventID: 0x800034FE
>>>
>>> Time Generated: 07/05/2009   18:08:29
>>>
>>> Event String:
>>>
>>> File Replication Service is scanning the data in the
>>> system volume. Computer server2 cannot become a domain controller
>>> until this process is complete. The system volume will then be
>>> shared
>>> as SYSVOL.
>>> To check for the SYSVOL share, at the command prompt, type:
>>>
>>> net share
>>>
>>> When File Replication Service completes the scanning process, the
>>> SYSVOL share will appear.
>>>
>>> The initialization of the system volume can take some
>>> time. The time is dependent on the amount of data in the system
>>> volume.
>>> An Warning Event occurred.  EventID: 0x800034C4
>>>
>>> Time Generated: 07/05/2009   18:10:22
>>>
>>> Event String:
>>>
>>> The File Replication Service is having trouble enabling
>>> replication from server1.domain.dns to server2 for
>>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
>>> will keep retrying.
>>> Following are some of the reasons you would see this warning.
>>>
>>> [1] FRS can not correctly resolve the DNS name
>>> server1.domain.dns from this computer.
>>> [2] FRS is not running on server1.domain.dns.
>>>
>>> [3] The topology information in the Active Directory
>>> Domain Services for this replica has not yet replicated to all the
>>> Domain Controllers.
>>> This event log message will appear once per connection,
>>> After the problem is fixed you will see another event log message
>>> indicating that the connection has been established.
>>> An Warning Event occurred.  EventID: 0x800034C4
>>>
>>> Time Generated: 07/05/2009   18:18:22
>>>
>>> Event String:
>>>
>>> The File Replication Service is having trouble enabling
>>> replication from server1 to server2 for c:\windows\sysvol\domain
>>> using
>>> the DNS name server1.domain.dns. FRS will keep retrying.
>>> Following are some of the reasons you would see this warning.
>>>
>>> [1] FRS can not correctly resolve the DNS name
>>> server1.domain.dns from this computer.
>>> [2] FRS is not running on server1.domain.dns.
>>>
>>> [3] The topology information in the Active Directory
>>> Domain Services for this replica has not yet replicated to all the
>>> Domain Controllers.
>>> This event log message will appear once per connection,
>>> After the problem is fixed you will see another event log message
>>> indicating that the connection has been established.
>>> ......................... server2 passed test FrsEvent
>>>
>>> Starting test: DFSREvent
>>>
>>> The DFS Replication Event Log.
>>> There are warning or error events within the last 24 hours
>>> after the
>>> SYSVOL has been shared.  Failing SYSVOL replication problems
>>> may cause
>>> Group Policy problems.
>>> An Error Event occurred.  EventID: 0xC00004B2
>>> Time Generated: 07/05/2009   17:59:35
>>> Event String:
>>>
>>> The DFS Replication service failed to contact domain
>>> controller  to access configuration information. Replication is
>>> stopped. The service will try again during the next configuration
>>> polling cycle, which will occur in 60 minutes. This event can be
>>> caused by TCP/IP connectivity, firewall, Active Directory Domain
>>> Services, or DNS issues.
>>> Additional Information:
>>>
>>> Error: 160 (One or more arguments are not correct.)
>>>
>>> ......................... server2 failed test DFSREvent
>>>
>>> Starting test: SysVolCheck
>>>
>>> * The File Replication Service SYSVOL ready test
>>> The registry lookup failed to determine the state of the
>>> SYSVOL.  The
>>> error returned  was 0x0 "The operation completed
>>> successfully.".
>>> Check the FRS event log to see if the SYSVOL has successfully been
>>>
>>> shared.
>>>

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> You can not create sysvol and netlogon share manual, they are creted during
> dcpromo. Unfortunal server1 has problems so get them replicated will also
> be a problem.
>
> Do you have a backup from server1 available where it was running correct?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Server2 oddly enough doesn't have a sysvol or netlogon share, which
> > could be an issue...  I noticed that when I initially setup the
> > server, so I manually created them, but apparently they didn't
> > "stick."
> >
> > Neither server has a firewall active on them.  Both are disabled.
> >
> > All pings are successful between both servers.
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Haji,
> >>
> >> Can you open and compare sysvol and netlogon share on both DCs?
> >>
> >> Please ping between both DCs with ipaddress, computername and FQDN.
> >>
> >> Any firewall running between them?
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> dcdiag from server2, which is the new one:
> >>>
> >>> Directory Server Diagnosis
> >>>
> >>> Performing initial setup:
> >>>
> >>> Trying to find home server...
> >>>
> >>> * Verifying that the local machine server2, is a Directory Server.
> >>> Home Server = server2
> >>> * Connecting to directory service on server server2.
> >>> * Identified AD Forest.
> >>> Collecting AD specific global data
> >>> * Collecting site info.
> >>> Calling
> >>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns
> >>> ,L
> >>> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> >>> The previous call succeeded
> >>> Iterating through the sites
> >>> Looking at base site object: CN=NTDS Site
> >>> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom
> >>> ai
> >>> n,DC=dns
> >>> Getting ISTG and options for the site
> >>> * Identifying all servers.
> >>> Calling
> >>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns
> >>> ,L
> >>> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> >>> The previous call succeeded....
> >>> The previous call succeeded
> >>> Iterating through the list of servers
> >>> Getting information for the server CN=NTDS
> >>> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> objectGuid obtained
> >>> InvocationID obtained
> >>> dnsHostname obtained
> >>> site info obtained
> >>> All the info for the server collected
> >>> Getting information for the server CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> objectGuid obtained
> >>> InvocationID obtained
> >>> dnsHostname obtained
> >>> site info obtained
> >>> All the info for the server collected
> >>> * Identifying all NC cross-refs.
> >>> * Found 2 DC(s). Testing 1 of them.
> >>> Done gathering initial info.
> >>>
> >>> Doing initial required tests
> >>>
> >>> Testing server: Default-First-Site-Name\server2
> >>>
> >>> Starting test: Connectivity
> >>>
> >>> * Active Directory LDAP Services Check
> >>> Determining IP4 connectivity
> >>> Determining IP6 connectivity
> >>> * Active Directory RPC Services Check
> >>> ......................... server2 passed test Connectivity
> >>> Doing primary tests
> >>> Testing server: Default-First-Site-Name\server2
> >>>
> >>> Starting test: Advertising
> >>>
> >>> Warning: DsGetDcName returned information for
> >>>
> >>> \\server1.domain.dns, when we were trying to reach server2.
> >>>
> >>> SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
> >>>
> >>> ......................... server2 failed test Advertising
> >>>
> >>> Test omitted by user request: CheckSecurityError
> >>>
> >>> Test omitted by user request: CutoffServers
> >>>
> >>> Starting test: FrsEvent
> >>>
> >>> * The File Replication Service Event log test
> >>> There are warning or error events within the last 24 hours
> >>> after the
> >>> SYSVOL has been shared.  Failing SYSVOL replication problems
> >>> may cause
> >>> Group Policy problems.
> >>> An Warning Event occurred.  EventID: 0x800034C4
> >>> Time Generated: 07/04/2009   19:53:44
> >>> Event String:
> >>>
> >>> The File Replication Service is having trouble enabling
> >>> replication from server1.domain.dns to server2 for
> >>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> >>> will keep retrying.
> >>> Following are some of the reasons you would see this warning.
> >>>
> >>> [1] FRS can not correctly resolve the DNS name
> >>> server1.domain.dns from this computer.
> >>> [2] FRS is not running on server1.domain.dns.
> >>>
> >>> [3] The topology information in the Active Directory
> >>> Domain Services for this replica has not yet replicated to all the
> >>> Domain Controllers.
> >>> This event log message will appear once per connection,
> >>> After the problem is fixed you will see another event log message
> >>> indicating that the connection has been established.
> >>> An Warning Event occurred.  EventID: 0x800034FE
> >>>
> >>> Time Generated: 07/05/2009   17:59:10
> >>>
> >>> Event String:
> >>>
> >>> File Replication Service is scanning the data in the
> >>> system volume. Computer server2 cannot become a domain controller
> >>> until this process is complete. The system volume will then be
> >>> shared
> >>> as SYSVOL.
> >>> To check for the SYSVOL share, at the command prompt, type:
> >>>
> >>> net share
> >>>
> >>> When File Replication Service completes the scanning process, the
> >>> SYSVOL share will appear.
> >>>
> >>> The initialization of the system volume can take some
> >>> time. The time is dependent on the amount of data in the system
> >>> volume.
> >>> An Warning Event occurred.  EventID: 0x800034C4
> >>>
> >>> Time Generated: 07/05/2009   18:02:00
> >>>
> >>> Event String:
> >>>
> >>> The File Replication Service is having trouble enabling
> >>> replication from server1.domain.dns to server2 for
> >>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> >>> will keep retrying.
> >>> Following are some of the reasons you would see this warning.
> >>>
> >>> [1] FRS can not correctly resolve the DNS name
> >>> server1.domain.dns from this computer.
> >>> [2] FRS is not running on server1.domain.dns.
> >>>
> >>> [3] The topology information in the Active Directory
> >>> Domain Services for this replica has not yet replicated to all the
> >>> Domain Controllers.
> >>> This event log message will appear once per connection,
> >>> After the problem is fixed you will see another event log message
> >>> indicating that the connection has been established.
> >>> An Warning Event occurred.  EventID: 0x800034FE
> >>>
> >>> Time Generated: 07/05/2009   18:08:29
> >>>
> >>> Event String:
> >>>
> >>> File Replication Service is scanning the data in the
> >>> system volume. Computer server2 cannot become a domain controller
> >>> until this process is complete. The system volume will then be
> >>> shared
> >>> as SYSVOL.
> >>> To check for the SYSVOL share, at the command prompt, type:
> >>>
> >>> net share
> >>>
> >>> When File Replication Service completes the scanning process, the
> >>> SYSVOL share will appear.
> >>>
> >>> The initialization of the system volume can take some
> >>> time. The time is dependent on the amount of data in the system
> >>> volume.
> >>> An Warning Event occurred.  EventID: 0x800034C4
> >>>
> >>> Time Generated: 07/05/2009   18:10:22
> >>>
> >>> Event String:
> >>>
> >>> The File Replication Service is having trouble enabling
> >>> replication from server1.domain.dns to server2 for
> >>> c:\windows\sysvol\domain using the DNS name server1.domain.dns. FRS
> >>> will keep retrying.
> >>> Following are some of the reasons you would see this warning.
> >>>
> >>> [1] FRS can not correctly resolve the DNS name
> >>> server1.domain.dns from this computer.
> >>> [2] FRS is not running on server1.domain.dns.
> >>>
> >>> [3] The topology information in the Active Directory
> >>> Domain Services for this replica has not yet replicated to all the
> >>> Domain Controllers.
> >>> This event log message will appear once per connection,
> >>> After the problem is fixed you will see another event log message
> >>> indicating that the connection has been established.
> >>> An Warning Event occurred.  EventID: 0x800034C4
> >>>
> >>> Time Generated: 07/05/2009   18:18:22
> >>>
> >>> Event String:
> >>>
> >>> The File Replication Service is having trouble enabling
> >>> replication from server1 to server2 for c:\windows\sysvol\domain
> >>> using
> >>> the DNS name server1.domain.dns. FRS will keep retrying.
> >>> Following are some of the reasons you would see this warning.
> >>>
> >>> [1] FRS can not correctly resolve the DNS name
> >>> server1.domain.dns from this computer.
> >>> [2] FRS is not running on server1.domain.dns.
> >>>
> >>> [3] The topology information in the Active Directory
> >>> Domain Services for this replica has not yet replicated to all the
> >>> Domain Controllers.
> >>> This event log message will appear once per connection,
> >>> After the problem is fixed you will see another event log message
> >>> indicating that the connection has been established.
> >>> ......................... server2 passed test FrsEvent
> >>>
> >>> Starting test: DFSREvent
> >>>
> >>> The DFS Replication Event Log.
> >>> There are warning or error events within the last 24 hours
> >>> after the
> >>> SYSVOL has been shared.  Failing SYSVOL replication problems
> >>> may cause
> >>> Group Policy problems.
> >>> An Error Event occurred.  EventID: 0xC00004B2
> >>> Time Generated: 07/05/2009   17:59:35
> >>> Event String:
> >>>
> >>> The DFS Replication service failed to contact domain
> >>> controller  to access configuration information. Replication is
> >>> stopped. The service will try again during the next configuration
> >>> polling cycle, which will occur in 60 minutes. This event can be
> >>> caused by TCP/IP connectivity, firewall, Active Directory Domain
> >>> Services, or DNS issues.
> >>> Additional Information:
> >>>
> >>> Error: 160 (One or more arguments are not correct.)
> >>>
> >>> ......................... server2 failed test DFSREvent
> >>>
> >>> Starting test: SysVolCheck
> >>>
> >>> * The File Replication Service SYSVOL ready test
> >>> The registry lookup failed to determine the state of the
> >>> SYSVOL.  The
> >>> error returned  was 0x0 "The operation completed
> >>> successfully.".
> >>> Check the FRS event log to see if the SYSVOL has successfully been
> >>>
> >>> shared.
> >>>
>

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Run diagnostics dcdiag /v and repadmin /showrepl to check for errors and
> make sure both DCs have replicated. Are both listed in the DNS zones with
> there A record and nema server record and also under all subfolders?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I've got a Windows 2008 box that was my only DC in my test network
> > that is on some rather aged hardware.  I've built a new box to replace
> > the old DC with, installed Server 2008 on it, added it to the domain,
> > ran dcpromo, kicked it up to a GC, and transfered the FSMO roles over
> > to it.  However, when I run dcpromo on the old box that I'm wanting to
> > retire, I get the following message:
> >
> > "You did not indicate that this Active Directory domain controller is
> > the last domain controller for the domain test.dns. However, no other
> > Active Directory domain controllers for that domain can be contacted."
> >
> > I've also noticed that when the old box is powered down, none of my
> > test workstations can map a drive to the new server, due to an
> > authentication failure.  The ID that the server is logged into is an
> > enterprise admin ID, and this is a single domain setup (no child
> > domains in the forrest).  Both the forrest and the domain are at 2008
> > functional level.  Each server has DNS installed and is AD Integrated.
> > Each server points to the other for DNS primary, and itself for
> > secondary.
> >
> > I'm sure there is more information that is needed that I haven't
> > provided, just let me know what you need and I'll post it, but if
> > anyone can help me out, I'd really like to learn what this issue is
> > and how to fix it.
> >
>
>
>

> dcdiag from Server1, which is the old one:
>
> Directory Server Diagnosis
>
> Performing initial setup:
>
> Trying to find home server...
>
> * Verifying that the local machine server1, is a Directory Server.
> Home Server = server1
> * Connecting to directory service on server server1.
>
> * Identified AD Forest.
> Collecting AD specific global data
> * Collecting site info.
> Calling
> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> The previous call succeeded
> Iterating through the sites
> Looking at base site object: CN=NTDS Site
> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domai
> n,DC=dns
> Getting ISTG and options for the site
> * Identifying all servers.
> Calling
> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> The previous call succeeded....
> The previous call succeeded
> Iterating through the list of servers
> Getting information for the server CN=NTDS
> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> objectGuid obtained
> InvocationID obtained
> dnsHostname obtained
> site info obtained
> All the info for the server collected
> Getting information for the server CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> objectGuid obtained
> InvocationID obtained
> dnsHostname obtained
> site info obtained
> All the info for the server collected
> * Identifying all NC cross-refs.
> * Found 2 DC(s). Testing 1 of them.
>
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\server1
>
> Starting test: Connectivity
>
> * Active Directory LDAP Services Check
> Determining IP4 connectivity
> Determining IP6 connectivity
> * Active Directory RPC Services Check
> ......................... server1 passed test Connectivity
> Doing primary tests
>
> Testing server: Default-First-Site-Name\server1
>
> Starting test: Advertising
>
> The DC server1 is advertising itself as a DC and having a DS.
> The DC server1 is advertising as an LDAP server
> The DC server1 is advertising as having a writeable directory
> The DC server1 is advertising as a Key Distribution Center
> The DC server1 is advertising as a time server
> The DS server1 is advertising as a GC.
> ......................... server1 passed test Advertising
> Test omitted by user request: CheckSecurityError
>
> Test omitted by user request: CutoffServers
>
> Starting test: FrsEvent
>
> * The File Replication Service Event log test
> There are warning or error events within the last 24 hours
> after the
> SYSVOL has been shared.  Failing SYSVOL replication problems
> may cause
>
> Group Policy problems.
> An Error Event occurred.  EventID: 0xC00034F0
> Time Generated: 07/04/2009   23:13:40
>
> Event String:
>
> The File Replication Service is unable to add this
> computer to the following replica set:
>
> "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
>
> This could be caused by a number of problems such as:
>
> --  an invalid root path,
>
> --  a missing directory,
>
> --  a missing disk volume,
>
> --  a file system on the volume that does not support
> NTFS 5.0
>
> The information below may help to resolve the problem:
>
> Computer DNS name is "server1.domain.dns"
>
> Replica set member name is "server1"
>
> Replica set root path is "d:\ad\sysvol\domain"
>
> Replica staging directory path is
> "d:\ad\sysvol\staging\domain"
>
> Replica working directory path is "c:\windows\ntfrs\jet"
>
> Windows error status code is
>
> FRS error status code is FrsErrorMismatchedJournalId
>
> Other event log messages may also help determine the
> problem.  Correct the problem and the service will attempt to restart
> replication automatically at a later time.
>
> An Error Event occurred.  EventID: 0xC00034F3
>
> Time Generated: 07/04/2009   23:13:40
>
> Event String:
>
> The File Replication Service is in an error state. Files
> will not replicate to or from one or all of the replica sets on this
> computer until the following recovery steps are performed:
>
> Recovery Steps:
>
> [1] The error state may clear itself if you stop and
> restart the FRS service. This can be done by performing the following
> in a command window:
>
> net stop ntfrs
>
> net start ntfrs
>
> If this fails to clear up the problem then proceed as
> follows.
>
> [2] For Active Directory Domain Services Domain
> Controllers that DO NOT host any DFS alternates or other replica sets
> with replication enabled:
>
> If there is at least one other Domain Controller in this
> domain then restore the "system state" of this DC from backup (using
> ntbackup or other backup-restore utility) and make it
> non-authoritative.
>
> If there are NO other Domain Controllers in this domain
> then restore the "system state" of this DC from backup (using ntbackup
> or other backup-restore utility) and choose the Advanced option which
> marks the sysvols as primary.
>
> If there are other Domain Controllers in this domain but
> ALL of them have this event log message then restore one of them as
> primary (data files from primary will replicate everywhere) and the
> others as non-authoritative.
>
> [3] For Active Directory Domain Services Domain
> Controllers that host DFS alternates or other replica sets with
> replication enabled:
>
> (3-a) If the Dfs alternates on this DC do not have any
> other replication partners then copy the data under that Dfs share to
> a safe location.
>
> (3-b) If this server is the only Active Directory Domain
> Services Domain Controller for this domain then, before going to
> (3-c),  make sure this server does not have any inbound or outbound
> connections to other servers that were formerly Domain Controllers for
> this domain but are now off the net (and will never be coming back
> online) or have been fresh installed without being demoted. To delete
> connections use the Sites and Services snapin and look for
>
> Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
> Settings->CONNECTIONS.
>
> (3-c) Restore the "system state" of this DC from backup
> (using ntbackup or other backup-restore utility) and make it
> non-authoritative.
>
> (3-d) Copy the data from step (3-a) above to the original
> location after the sysvol share is published.
>
> [4] For other Windows servers:
>
> (4-a)  If any of the DFS alternates or other replica sets
> hosted by this server do not have any other replication partners then
> copy the data under its share or replica tree root to a safe location.
>
> (4-b)  net stop ntfrs
>
> (4-c)  rd /s /q  c:\windows\ntfrs\jet
>
> (4-d)  net start ntfrs
>
> (4-e)  Copy the data from step (4-a) above to the
> original location after the service has initialized (5 minutes is a
> safe waiting time).
>
> Note: If this error message is in the eventlog of all the
> members of a particular replica set then perform steps (4-a) and (4-e)
> above on only one of the members.
>
> ......................... server1 failed test FrsEvent
>
> Starting test: DFSREvent
>
> The DFS Replication Event Log.
> ......................... server1 passed test DFSREvent
> Starting test: SysVolCheck
>
> * The File Replication Service SYSVOL ready test
> File Replication Service's SYSVOL is ready
> ......................... server1 passed test SysVolCheck
> Starting test: KccEvent
>
> * The KCC Event log test
> Found no KCC errors in "Directory Service" Event log in the
> last 15
> minutes.
> ......................... server1 passed test KccEvent
> Starting test: KnowsOfRoleHolders
>
> Role Schema Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Domain Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> Role PDC Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Rid Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> Role Infrastructure Update Owner = CN=NTDS
> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> ......................... server1 passed test
> KnowsOfRoleHolders
> Starting test: MachineAccount
>
> Checking machine account for DC server1 on DC server1.
> * SPN found :LDAP/server1.domain.dns/domain.dns
> * SPN found :LDAP/server1.domain.dns
> * SPN found :LDAP/server1
> * SPN found :LDAP/server1.domain.dns/domain
> * SPN found
> :LDAP/10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/10054e4e-3786-4858-a745-5a3b299c
> 2326/domain.dns
> * SPN found :HOST/server1.domain.dns/domain.dns
> * SPN found :HOST/server1.domain.dns
> * SPN found :HOST/server1
> * SPN found :HOST/server1.domain.dns/domain
> * SPN found :GC/server1.domain.dns/domain.dns
> ......................... server1 passed test MachineAccount
> Starting test: NCSecDesc
>
> * Security Permissions check for all NC's on DC server1.
> The forest is not ready for RODC. Will skip checking ERODC
> ACEs.
> * Security Permissions Check for
> DC=ForestDnsZones,DC=domain,DC=dns
> (NDNC,Version 3)
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
> Replicating Directory Changes In Filtered Set
> access rights for the naming context:
> DC=ForestDnsZones,DC=domain,DC=dns
> * Security Permissions Check for
> DC=DomainDnsZones,DC=domain,DC=dns
> (NDNC,Version 3)
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
> Replicating Directory Changes In Filtered Set
> access rights for the naming context:
> DC=DomainDnsZones,DC=domain,DC=dns
> * Security Permissions Check for
> CN=Schema,CN=Configuration,DC=domain,DC=dns
> (Schema,Version 3)
> * Security Permissions Check for
> CN=Configuration,DC=domain,DC=dns
> (Configuration,Version 3)
> * Security Permissions Check for
> DC=domain,DC=dns
> (Domain,Version 3)
> ......................... server1 failed test NCSecDesc
> Starting test: NetLogons
>
> * Network Logons Privileges Check
> Verified share \\server1\netlogon
> Verified share \\server1\sysvol
> ......................... server1 passed test NetLogons
> Starting test: ObjectsReplicated
>
> server1 is in domain DC=domain,DC=dns
> Checking for CN=server1,OU=Domain
> Controllers,DC=domain,DC=dns in
> domain DC=domain,DC=dns on 1 servers
> Object is up-to-date on all servers.
> Checking for CN=NTDS
> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
> in domain CN=Configuration,DC=domain,DC=dns on 1 servers
> Object is up-to-date on all servers.
> ......................... server1 passed test
> ObjectsReplicated
> Test omitted by user request: OutboundSecureChannels
>
> Starting test: Replications
>
> * Replications Check
> * Replication Latency Check
> DC=ForestDnsZones,DC=domain,DC=dns
> Latency information for 8 entries in the vector were
> ignored.
> 8 were retired Invocations.  0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc.  0 had no latency information (Win2K DC).
> DC=DomainDnsZones,DC=domain,DC=dns
> Latency information for 8 entries in the vector were
> ignored.
> 8 were retired Invocations.  0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc.  0 had no latency information (Win2K DC).
> CN=Schema,CN=Configuration,DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations.  0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc.  0 had no latency information (Win2K DC).
> CN=Configuration,DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations.  0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc.  0 had no latency information (Win2K DC).
> DC=domain,DC=dns
> Latency information for 9 entries in the vector were
> ignored.
> 9 were retired Invocations.  0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc.  0 had no latency information (Win2K DC).
> ......................... server1 passed test Replications
> Starting test: RidManager
>
> * Available RID Pool for the Domain is 16606 to 1073741823
> * server2.domain.dns is the RID Master
> * DsBind with RID Master was successful
> * rIDAllocationPool is 4606 to 5105
> * rIDPreviousAllocationPool is 4606 to 5105
> * rIDNextRID: 4616
> ......................... server1 passed test RidManager
> Starting test: Services
>
> * Checking Service: EventSystem
> * Checking Service: RpcSs
> * Checking Service: NTDS
> * Checking Service: DnsCache
> * Checking Service: DFSR
> * Checking Service: IsmServ
> * Checking Service: kdc
> * Checking Service: SamSs
> * Checking Service: LanmanServer
> * Checking Service: LanmanWorkstation
> * Checking Service: w32time
> * Checking Service: NETLOGON
> ......................... server1 passed test Services
> Starting test: SystemLog
>
> * The System Event log test
> Found no errors in "System" Event log in the last 60 minutes.
> ......................... server1 passed test SystemLog
> Test omitted by user request: Topology
>
> Test omitted by user request: VerifyEnterpriseReferences
>
> Starting test: VerifyReferences
>
> The system object reference (serverReference)
>
> CN=server1,OU=Domain Controllers,DC=domain,DC=dns and
>
> backlink on
>
> CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configura
> tion,DC=domain,DC=dns
>
> are correct.
> The system object reference (serverReferenceBL)
> CN=server1,CN=Domain System Volume (SYSVOL share),CN=File
> Replication Service,CN=System,DC=domain,DC=dns
>
> and backlink on
>
> CN=NTDS
> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=domain,DC=dns
>
> are correct.
> ......................... server1 passed test
> VerifyReferences
> Test omitted by user request: VerifyReplicas
>
> Test omitted by user request: DNS
>
> Test omitted by user request: DNS
>
> Running partition tests on : ForestDnsZones
>
> Starting test: CheckSDRefDom
>
> ......................... ForestDnsZones passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... ForestDnsZones passed test
>
> CrossRefValidation
>
> Running partition tests on : DomainDnsZones
>
> Starting test: CheckSDRefDom
>
> ......................... DomainDnsZones passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... DomainDnsZones passed test
>
> CrossRefValidation
>
> Running partition tests on : Schema
>
> Starting test: CheckSDRefDom
>
> ......................... Schema passed test CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... Schema passed test
> CrossRefValidation
>
> Running partition tests on : Configuration
>
> Starting test: CheckSDRefDom
>
> ......................... Configuration passed test
> CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... Configuration passed test
> CrossRefValidation
>
> Running partition tests on : domain
>
> Starting test: CheckSDRefDom
>
> ......................... domain passed test CheckSDRefDom
>
> Starting test: CrossRefValidation
>
> ......................... domain passed test
> CrossRefValidation
>
> Running enterprise tests on : domain.dns
>
> Test omitted by user request: DNS
>
> Test omitted by user request: DNS
>
> Starting test: LocatorCheck
>
> GC Name: \\server1.domain.dns
>
> Locator Flags: 0xe00011fc
> PDC Name: \\server2.domain.dns
> Locator Flags: 0xe00013fd
> Time Server Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> Preferred Time Server Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> KDC Name: \\server1.domain.dns
> Locator Flags: 0xe00011fc
> ......................... domain.dns passed test LocatorCheck
> Starting test: Intersite
>
> Skipping site Default-First-Site-Name, this site is outside
> the scope
>
> provided by the command line arguments provided.
> ......................... domain.dns passed test Intersite
> repadmin /showrepl from server1:
>
> Repadmin: running command /showrepl against full DC localhost
>
> Default-First-Site-Name\server1
>
> DSA Options: IS_GC
>
> Site Options: (none)
>
> DSA object GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>
> DSA invocationID: d796d1fd-f4ef-400a-b2ba-a094c73c1659
>
> ==== INBOUND NEIGHBORS ======================================
>
> DC=domain,DC=dns
>
> Default-First-Site-Name\server2 via RPC
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> Last attempt @ 2009-07-05 18:23:20 was successful.
>
> CN=Configuration,DC=domain,DC=dns
>
> Default-First-Site-Name\server2 via RPC
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> Last attempt @ 2009-07-05 17:53:08 was successful.
>
> CN=Schema,CN=Configuration,DC=domain,DC=dns
>
> Default-First-Site-Name\server2 via RPC
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> Last attempt @ 2009-07-05 17:53:08 was successful.
>
> DC=DomainDnsZones,DC=domain,DC=dns
>
> Default-First-Site-Name\server2 via RPC
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> Last attempt @ 2009-07-05 17:53:08 was successful.
>
> DC=ForestDnsZones,DC=domain,DC=dns
>
> Default-First-Site-Name\server2 via RPC
>
> DSA object GUID: d963b078-1f27-4154-8436-870d19935efe
>
> Last attempt @ 2009-07-05 18:29:12 was successful.
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Run diagnostics dcdiag /v and repadmin /showrepl to check for errors
>> and make sure both DCs have replicated. Are both listed in the DNS
>> zones with there A record and nema server record and also under all
>> subfolders?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I've got a Windows 2008 box that was my only DC in my test network
>>> that is on some rather aged hardware.  I've built a new box to
>>> replace the old DC with, installed Server 2008 on it, added it to
>>> the domain, ran dcpromo, kicked it up to a GC, and transfered the
>>> FSMO roles over to it.  However, when I run dcpromo on the old box
>>> that I'm wanting to retire, I get the following message:
>>>
>>> "You did not indicate that this Active Directory domain controller
>>> is the last domain controller for the domain test.dns. However, no
>>> other Active Directory domain controllers for that domain can be
>>> contacted."
>>>
>>> I've also noticed that when the old box is powered down, none of my
>>> test workstations can map a drive to the new server, due to an
>>> authentication failure.  The ID that the server is logged into is an
>>> enterprise admin ID, and this is a single domain setup (no child
>>> domains in the forrest).  Both the forrest and the domain are at
>>> 2008 functional level.  Each server has DNS installed and is AD
>>> Integrated. Each server points to the other for DNS primary, and
>>> itself for secondary.
>>>
>>> I'm sure there is more information that is needed that I haven't
>>> provided, just let me know what you need and I'll post it, but if
>>> anyone can help me out, I'd really like to learn what this issue is
>>> and how to fix it.
>>>

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Did you change the default locations to "d:\ad\sysvol\domain" and "d:\ad\sysvol\staging\domain"
> on server1?
>
> Was server1 ever restored from backup/image/snapshot(VM) without cleaning
> the AD database before?
>
> I am also a bit surprised about the difference of the RID pool between both
> DCs, there is a really big difference which shouldn't be the case. Normally
> they stick together.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > dcdiag from Server1, which is the old one:
> >
> > Directory Server Diagnosis
> >
> > Performing initial setup:
> >
> > Trying to find home server...
> >
> > * Verifying that the local machine server1, is a Directory Server.
> > Home Server = server1
> > * Connecting to directory service on server server1.
> >
> > * Identified AD Forest.
> > Collecting AD specific global data
> > * Collecting site info.
> > Calling
> > ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
> > DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> > The previous call succeeded
> > Iterating through the sites
> > Looking at base site object: CN=NTDS Site
> > Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domai
> > n,DC=dns
> > Getting ISTG and options for the site
> > * Identifying all servers.
> > Calling
> > ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns,L
> > DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> > The previous call succeeded....
> > The previous call succeeded
> > Iterating through the list of servers
> > Getting information for the server CN=NTDS
> > Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> > Configuration,DC=domain,DC=dns
> > objectGuid obtained
> > InvocationID obtained
> > dnsHostname obtained
> > site info obtained
> > All the info for the server collected
> > Getting information for the server CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> > Configuration,DC=domain,DC=dns
> > objectGuid obtained
> > InvocationID obtained
> > dnsHostname obtained
> > site info obtained
> > All the info for the server collected
> > * Identifying all NC cross-refs.
> > * Found 2 DC(s). Testing 1 of them.
> >
> > Done gathering initial info.
> >
> > Doing initial required tests
> >
> > Testing server: Default-First-Site-Name\server1
> >
> > Starting test: Connectivity
> >
> > * Active Directory LDAP Services Check
> > Determining IP4 connectivity
> > Determining IP6 connectivity
> > * Active Directory RPC Services Check
> > ......................... server1 passed test Connectivity
> > Doing primary tests
> >
> > Testing server: Default-First-Site-Name\server1
> >
> > Starting test: Advertising
> >
> > The DC server1 is advertising itself as a DC and having a DS.
> > The DC server1 is advertising as an LDAP server
> > The DC server1 is advertising as having a writeable directory
> > The DC server1 is advertising as a Key Distribution Center
> > The DC server1 is advertising as a time server
> > The DS server1 is advertising as a GC.
> > ......................... server1 passed test Advertising
> > Test omitted by user request: CheckSecurityError
> >
> > Test omitted by user request: CutoffServers
> >
> > Starting test: FrsEvent
> >
> > * The File Replication Service Event log test
> > There are warning or error events within the last 24 hours
> > after the
> > SYSVOL has been shared.  Failing SYSVOL replication problems
> > may cause
> >
> > Group Policy problems.
> > An Error Event occurred.  EventID: 0xC00034F0
> > Time Generated: 07/04/2009   23:13:40
> >
> > Event String:
> >
> > The File Replication Service is unable to add this
> > computer to the following replica set:
> >
> > "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
> >
> > This could be caused by a number of problems such as:
> >
> > --  an invalid root path,
> >
> > --  a missing directory,
> >
> > --  a missing disk volume,
> >
> > --  a file system on the volume that does not support
> > NTFS 5.0
> >
> > The information below may help to resolve the problem:
> >
> > Computer DNS name is "server1.domain.dns"
> >
> > Replica set member name is "server1"
> >
> > Replica set root path is "d:\ad\sysvol\domain"
> >
> > Replica staging directory path is
> > "d:\ad\sysvol\staging\domain"
> >
> > Replica working directory path is "c:\windows\ntfrs\jet"
> >
> > Windows error status code is
> >
> > FRS error status code is FrsErrorMismatchedJournalId
> >
> > Other event log messages may also help determine the
> > problem.  Correct the problem and the service will attempt to restart
> > replication automatically at a later time.
> >
> > An Error Event occurred.  EventID: 0xC00034F3
> >
> > Time Generated: 07/04/2009   23:13:40
> >
> > Event String:
> >
> > The File Replication Service is in an error state. Files
> > will not replicate to or from one or all of the replica sets on this
> > computer until the following recovery steps are performed:
> >
> > Recovery Steps:
> >
> > [1] The error state may clear itself if you stop and
> > restart the FRS service. This can be done by performing the following
> > in a command window:
> >
> > net stop ntfrs
> >
> > net start ntfrs
> >
> > If this fails to clear up the problem then proceed as
> > follows.
> >
> > [2] For Active Directory Domain Services Domain
> > Controllers that DO NOT host any DFS alternates or other replica sets
> > with replication enabled:
> >
> > If there is at least one other Domain Controller in this
> > domain then restore the "system state" of this DC from backup (using
> > ntbackup or other backup-restore utility) and make it
> > non-authoritative.
> >
> > If there are NO other Domain Controllers in this domain
> > then restore the "system state" of this DC from backup (using ntbackup
> > or other backup-restore utility) and choose the Advanced option which
> > marks the sysvols as primary.
> >
> > If there are other Domain Controllers in this domain but
> > ALL of them have this event log message then restore one of them as
> > primary (data files from primary will replicate everywhere) and the
> > others as non-authoritative.
> >
> > [3] For Active Directory Domain Services Domain
> > Controllers that host DFS alternates or other replica sets with
> > replication enabled:
> >
> > (3-a) If the Dfs alternates on this DC do not have any
> > other replication partners then copy the data under that Dfs share to
> > a safe location.
> >
> > (3-b) If this server is the only Active Directory Domain
> > Services Domain Controller for this domain then, before going to
> > (3-c),  make sure this server does not have any inbound or outbound
> > connections to other servers that were formerly Domain Controllers for
> > this domain but are now off the net (and will never be coming back
> > online) or have been fresh installed without being demoted. To delete
> > connections use the Sites and Services snapin and look for
> >
> > Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
> > Settings->CONNECTIONS.
> >
> > (3-c) Restore the "system state" of this DC from backup
> > (using ntbackup or other backup-restore utility) and make it
> > non-authoritative.
> >
> > (3-d) Copy the data from step (3-a) above to the original
> > location after the sysvol share is published.
> >
> > [4] For other Windows servers:
> >
> > (4-a)  If any of the DFS alternates or other replica sets
> > hosted by this server do not have any other replication partners then
> > copy the data under its share or replica tree root to a safe location.
> >
> > (4-b)  net stop ntfrs
> >
> > (4-c)  rd /s /q  c:\windows\ntfrs\jet
> >
> > (4-d)  net start ntfrs
> >
> > (4-e)  Copy the data from step (4-a) above to the
> > original location after the service has initialized (5 minutes is a
> > safe waiting time).
> >
> > Note: If this error message is in the eventlog of all the
> > members of a particular replica set then perform steps (4-a) and (4-e)
> > above on only one of the members.
> >
> > ......................... server1 failed test FrsEvent
> >
> > Starting test: DFSREvent
> >
> > The DFS Replication Event Log.
> > ......................... server1 passed test DFSREvent
> > Starting test: SysVolCheck
> >
> > * The File Replication Service SYSVOL ready test
> > File Replication Service's SYSVOL is ready
> > ......................... server1 passed test SysVolCheck
> > Starting test: KccEvent
> >
> > * The KCC Event log test
> > Found no KCC errors in "Directory Service" Event log in the
> > last 15
> > minutes.
> > ......................... server1 passed test KccEvent
> > Starting test: KnowsOfRoleHolders
> >
> > Role Schema Owner = CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> > Configuration,DC=domain,DC=dns
> > Role Domain Owner = CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> > Configuration,DC=domain,DC=dns
> > Role PDC Owner = CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> > Configuration,DC=domain,DC=dns
> > Role Rid Owner = CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> > Configuration,DC=domain,DC=dns
> > Role Infrastructure Update Owner = CN=NTDS
> > Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> > Configuration,DC=domain,DC=dns
> > ......................... server1 passed test
> > KnowsOfRoleHolders
> > Starting test: MachineAccount
> >
> > Checking machine account for DC server1 on DC server1.
> > * SPN found :LDAP/server1.domain.dns/domain.dns
> > * SPN found :LDAP/server1.domain.dns
> > * SPN found :LDAP/server1
> > * SPN found :LDAP/server1.domain.dns/domain
> > * SPN found
> > :LDAP/10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> > * SPN found
> > :E3514235-4B06-11D1-AB04-00C04FC2DCD2/10054e4e-3786-4858-a745-5a3b299c
> > 2326/domain.dns
> > * SPN found :HOST/server1.domain.dns/domain.dns
> > * SPN found :HOST/server1.domain.dns
> > * SPN found :HOST/server1
> > * SPN found :HOST/server1.domain.dns/domain
> > * SPN found :GC/server1.domain.dns/domain.dns
> > ......................... server1 passed test MachineAccount
> > Starting test: NCSecDesc
> >
> > * Security Permissions check for all NC's on DC server1.
> > The forest is not ready for RODC. Will skip checking ERODC
> > ACEs.

> When I built server1, I specified those locations.  They were never
> moved.
>
> Server1 has never been restored from backup.
>
> As for the RID pool, how do I correct that?
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Did you change the default locations to "d:\ad\sysvol\domain" and
>> "d:\ad\sysvol\staging\domain" on server1?
>>
>> Was server1 ever restored from backup/image/snapshot(VM) without
>> cleaning the AD database before?
>>
>> I am also a bit surprised about the difference of the RID pool
>> between both DCs, there is a really big difference which shouldn't be
>> the case. Normally they stick together.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> dcdiag from Server1, which is the old one:
>>>
>>> Directory Server Diagnosis
>>>
>>> Performing initial setup:
>>>
>>> Trying to find home server...
>>>
>>> * Verifying that the local machine server1, is a Directory Server.
>>> Home Server = server1
>>> * Connecting to directory service on server server1.
>>> * Identified AD Forest.
>>> Collecting AD specific global data
>>> * Collecting site info.
>>> Calling
>>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns
>>> ,L
>>> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
>>> The previous call succeeded
>>> Iterating through the sites
>>> Looking at base site object: CN=NTDS Site
>>> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom
>>> ai
>>> n,DC=dns
>>> Getting ISTG and options for the site
>>> * Identifying all servers.
>>> Calling
>>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns
>>> ,L
>>> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
>>> The previous call succeeded....
>>> The previous call succeeded
>>> Iterating through the list of servers
>>> Getting information for the server CN=NTDS
>>> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> objectGuid obtained
>>> InvocationID obtained
>>> dnsHostname obtained
>>> site info obtained
>>> All the info for the server collected
>>> Getting information for the server CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> objectGuid obtained
>>> InvocationID obtained
>>> dnsHostname obtained
>>> site info obtained
>>> All the info for the server collected
>>> * Identifying all NC cross-refs.
>>> * Found 2 DC(s). Testing 1 of them.
>>> Done gathering initial info.
>>>
>>> Doing initial required tests
>>>
>>> Testing server: Default-First-Site-Name\server1
>>>
>>> Starting test: Connectivity
>>>
>>> * Active Directory LDAP Services Check
>>> Determining IP4 connectivity
>>> Determining IP6 connectivity
>>> * Active Directory RPC Services Check
>>> ......................... server1 passed test Connectivity
>>> Doing primary tests
>>> Testing server: Default-First-Site-Name\server1
>>>
>>> Starting test: Advertising
>>>
>>> The DC server1 is advertising itself as a DC and having a DS.
>>> The DC server1 is advertising as an LDAP server
>>> The DC server1 is advertising as having a writeable directory
>>> The DC server1 is advertising as a Key Distribution Center
>>> The DC server1 is advertising as a time server
>>> The DS server1 is advertising as a GC.
>>> ......................... server1 passed test Advertising
>>> Test omitted by user request: CheckSecurityError
>>> Test omitted by user request: CutoffServers
>>>
>>> Starting test: FrsEvent
>>>
>>> * The File Replication Service Event log test
>>> There are warning or error events within the last 24 hours
>>> after the
>>> SYSVOL has been shared.  Failing SYSVOL replication problems
>>> may cause
>>> Group Policy problems.
>>> An Error Event occurred.  EventID: 0xC00034F0
>>> Time Generated: 07/04/2009   23:13:40
>>> Event String:
>>>
>>> The File Replication Service is unable to add this computer to the
>>> following replica set:
>>>
>>> "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
>>>
>>> This could be caused by a number of problems such as:
>>>
>>> --  an invalid root path,
>>>
>>> --  a missing directory,
>>>
>>> --  a missing disk volume,
>>>
>>> --  a file system on the volume that does not support NTFS 5.0
>>>
>>> The information below may help to resolve the problem:
>>>
>>> Computer DNS name is "server1.domain.dns"
>>>
>>> Replica set member name is "server1"
>>>
>>> Replica set root path is "d:\ad\sysvol\domain"
>>>
>>> Replica staging directory path is
>>> "d:\ad\sysvol\staging\domain"
>>> Replica working directory path is "c:\windows\ntfrs\jet"
>>>
>>> Windows error status code is
>>>
>>> FRS error status code is FrsErrorMismatchedJournalId
>>>
>>> Other event log messages may also help determine the
>>> problem.  Correct the problem and the service will attempt to
>>> restart
>>> replication automatically at a later time.
>>> An Error Event occurred.  EventID: 0xC00034F3
>>>
>>> Time Generated: 07/04/2009   23:13:40
>>>
>>> Event String:
>>>
>>> The File Replication Service is in an error state. Files
>>> will not replicate to or from one or all of the replica sets on this
>>> computer until the following recovery steps are performed:
>>> Recovery Steps:
>>>
>>> [1] The error state may clear itself if you stop and
>>> restart the FRS service. This can be done by performing the
>>> following
>>> in a command window:
>>> net stop ntfrs
>>>
>>> net start ntfrs
>>>
>>> If this fails to clear up the problem then proceed as follows.
>>>
>>> [2] For Active Directory Domain Services Domain
>>> Controllers that DO NOT host any DFS alternates or other replica
>>> sets
>>> with replication enabled:
>>> If there is at least one other Domain Controller in this
>>> domain then restore the "system state" of this DC from backup (using
>>> ntbackup or other backup-restore utility) and make it
>>> non-authoritative.
>>> If there are NO other Domain Controllers in this domain
>>> then restore the "system state" of this DC from backup (using
>>> ntbackup
>>> or other backup-restore utility) and choose the Advanced option
>>> which
>>> marks the sysvols as primary.
>>> If there are other Domain Controllers in this domain but
>>> ALL of them have this event log message then restore one of them as
>>> primary (data files from primary will replicate everywhere) and the
>>> others as non-authoritative.
>>> [3] For Active Directory Domain Services Domain
>>> Controllers that host DFS alternates or other replica sets with
>>> replication enabled:
>>> (3-a) If the Dfs alternates on this DC do not have any
>>> other replication partners then copy the data under that Dfs share
>>> to
>>> a safe location.
>>> (3-b) If this server is the only Active Directory Domain
>>> Services Domain Controller for this domain then, before going to
>>> (3-c),  make sure this server does not have any inbound or outbound
>>> connections to other servers that were formerly Domain Controllers
>>> for
>>> this domain but are now off the net (and will never be coming back
>>> online) or have been fresh installed without being demoted. To
>>> delete
>>> connections use the Sites and Services snapin and look for
>>> Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
>>> Settings->CONNECTIONS.
>>>
>>> (3-c) Restore the "system state" of this DC from backup (using
>>> ntbackup or other backup-restore utility) and make it
>>> non-authoritative.
>>>
>>> (3-d) Copy the data from step (3-a) above to the original location
>>> after the sysvol share is published.
>>>
>>> [4] For other Windows servers:
>>>
>>> (4-a)  If any of the DFS alternates or other replica sets
>>> hosted by this server do not have any other replication partners
>>> then
>>> copy the data under its share or replica tree root to a safe
>>> location.
>>> (4-b)  net stop ntfrs
>>>
>>> (4-c)  rd /s /q  c:\windows\ntfrs\jet
>>>
>>> (4-d)  net start ntfrs
>>>
>>> (4-e)  Copy the data from step (4-a) above to the
>>> original location after the service has initialized (5 minutes is a
>>> safe waiting time).
>>> Note: If this error message is in the eventlog of all the
>>> members of a particular replica set then perform steps (4-a) and
>>> (4-e)
>>> above on only one of the members.
>>> ......................... server1 failed test FrsEvent
>>>
>>> Starting test: DFSREvent
>>>
>>> The DFS Replication Event Log. ......................... server1
>>> passed test DFSREvent Starting test: SysVolCheck
>>>
>>> * The File Replication Service SYSVOL ready test
>>> File Replication Service's SYSVOL is ready
>>> ......................... server1 passed test SysVolCheck
>>> Starting test: KccEvent
>>> * The KCC Event log test
>>> Found no KCC errors in "Directory Service" Event log in the
>>> last 15
>>> minutes.
>>> ......................... server1 passed test KccEvent
>>> Starting test: KnowsOfRoleHolders
>>> Role Schema Owner = CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> Role Domain Owner = CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> Role PDC Owner = CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> Role Rid Owner = CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> Role Infrastructure Update Owner = CN=NTDS
>>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
>>> N=
>>> Configuration,DC=domain,DC=dns
>>> ......................... server1 passed test
>>> KnowsOfRoleHolders
>>> Starting test: MachineAccount
>>> Checking machine account for DC server1 on DC server1.
>>> * SPN found :LDAP/server1.domain.dns/domain.dns
>>> * SPN found :LDAP/server1.domain.dns
>>> * SPN found :LDAP/server1
>>> * SPN found :LDAP/server1.domain.dns/domain
>>> * SPN found
>>> :LDAP/10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
>>> * SPN found
>>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/10054e4e-3786-4858-a745-5a3b29
>>> 9c
>>> 2326/domain.dns
>>> * SPN found :HOST/server1.domain.dns/domain.dns
>>> * SPN found :HOST/server1.domain.dns
>>> * SPN found :HOST/server1
>>> * SPN found :HOST/server1.domain.dns/domain
>>> * SPN found :GC/server1.domain.dns/domain.dns
>>> ......................... server1 passed test MachineAccount
>>> Starting test: NCSecDesc
>>> * Security Permissions check for all NC's on DC server1. The forest
>>> is not ready for RODC. Will skip checking ERODC ACEs.
>>>

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> The RID pool is just noticeable. You can not correct that.
>
> I assume you have event id 13555 and 13552 on server1 in the event log.
> http://support.microsoft.com/kb/925633
>
> Also have a look on this one:
> http://support.microsoft.com/kb/290762/
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > When I built server1, I specified those locations.  They were never
> > moved.
> >
> > Server1 has never been restored from backup.
> >
> > As for the RID pool, how do I correct that?
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Haji,
> >>
> >> Did you change the default locations to "d:\ad\sysvol\domain" and
> >> "d:\ad\sysvol\staging\domain" on server1?
> >>
> >> Was server1 ever restored from backup/image/snapshot(VM) without
> >> cleaning the AD database before?
> >>
> >> I am also a bit surprised about the difference of the RID pool
> >> between both DCs, there is a really big difference which shouldn't be
> >> the case. Normally they stick together.
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> dcdiag from Server1, which is the old one:
> >>>
> >>> Directory Server Diagnosis
> >>>
> >>> Performing initial setup:
> >>>
> >>> Trying to find home server...
> >>>
> >>> * Verifying that the local machine server1, is a Directory Server.
> >>> Home Server = server1
> >>> * Connecting to directory service on server server1.
> >>> * Identified AD Forest.
> >>> Collecting AD specific global data
> >>> * Collecting site info.
> >>> Calling
> >>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns
> >>> ,L
> >>> DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
> >>> The previous call succeeded
> >>> Iterating through the sites
> >>> Looking at base site object: CN=NTDS Site
> >>> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dom
> >>> ai
> >>> n,DC=dns
> >>> Getting ISTG and options for the site
> >>> * Identifying all servers.
> >>> Calling
> >>> ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=dns
> >>> ,L
> >>> DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
> >>> The previous call succeeded....
> >>> The previous call succeeded
> >>> Iterating through the list of servers
> >>> Getting information for the server CN=NTDS
> >>> Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> objectGuid obtained
> >>> InvocationID obtained
> >>> dnsHostname obtained
> >>> site info obtained
> >>> All the info for the server collected
> >>> Getting information for the server CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> objectGuid obtained
> >>> InvocationID obtained
> >>> dnsHostname obtained
> >>> site info obtained
> >>> All the info for the server collected
> >>> * Identifying all NC cross-refs.
> >>> * Found 2 DC(s). Testing 1 of them.
> >>> Done gathering initial info.
> >>>
> >>> Doing initial required tests
> >>>
> >>> Testing server: Default-First-Site-Name\server1
> >>>
> >>> Starting test: Connectivity
> >>>
> >>> * Active Directory LDAP Services Check
> >>> Determining IP4 connectivity
> >>> Determining IP6 connectivity
> >>> * Active Directory RPC Services Check
> >>> ......................... server1 passed test Connectivity
> >>> Doing primary tests
> >>> Testing server: Default-First-Site-Name\server1
> >>>
> >>> Starting test: Advertising
> >>>
> >>> The DC server1 is advertising itself as a DC and having a DS.
> >>> The DC server1 is advertising as an LDAP server
> >>> The DC server1 is advertising as having a writeable directory
> >>> The DC server1 is advertising as a Key Distribution Center
> >>> The DC server1 is advertising as a time server
> >>> The DS server1 is advertising as a GC.
> >>> ......................... server1 passed test Advertising
> >>> Test omitted by user request: CheckSecurityError
> >>> Test omitted by user request: CutoffServers
> >>>
> >>> Starting test: FrsEvent
> >>>
> >>> * The File Replication Service Event log test
> >>> There are warning or error events within the last 24 hours
> >>> after the
> >>> SYSVOL has been shared.  Failing SYSVOL replication problems
> >>> may cause
> >>> Group Policy problems.
> >>> An Error Event occurred.  EventID: 0xC00034F0
> >>> Time Generated: 07/04/2009   23:13:40
> >>> Event String:
> >>>
> >>> The File Replication Service is unable to add this computer to the
> >>> following replica set:
> >>>
> >>> "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
> >>>
> >>> This could be caused by a number of problems such as:
> >>>
> >>> --  an invalid root path,
> >>>
> >>> --  a missing directory,
> >>>
> >>> --  a missing disk volume,
> >>>
> >>> --  a file system on the volume that does not support NTFS 5.0
> >>>
> >>> The information below may help to resolve the problem:
> >>>
> >>> Computer DNS name is "server1.domain.dns"
> >>>
> >>> Replica set member name is "server1"
> >>>
> >>> Replica set root path is "d:\ad\sysvol\domain"
> >>>
> >>> Replica staging directory path is
> >>> "d:\ad\sysvol\staging\domain"
> >>> Replica working directory path is "c:\windows\ntfrs\jet"
> >>>
> >>> Windows error status code is
> >>>
> >>> FRS error status code is FrsErrorMismatchedJournalId
> >>>
> >>> Other event log messages may also help determine the
> >>> problem.  Correct the problem and the service will attempt to
> >>> restart
> >>> replication automatically at a later time.
> >>> An Error Event occurred.  EventID: 0xC00034F3
> >>>
> >>> Time Generated: 07/04/2009   23:13:40
> >>>
> >>> Event String:
> >>>
> >>> The File Replication Service is in an error state. Files
> >>> will not replicate to or from one or all of the replica sets on this
> >>> computer until the following recovery steps are performed:
> >>> Recovery Steps:
> >>>
> >>> [1] The error state may clear itself if you stop and
> >>> restart the FRS service. This can be done by performing the
> >>> following
> >>> in a command window:
> >>> net stop ntfrs
> >>>
> >>> net start ntfrs
> >>>
> >>> If this fails to clear up the problem then proceed as follows.
> >>>
> >>> [2] For Active Directory Domain Services Domain
> >>> Controllers that DO NOT host any DFS alternates or other replica
> >>> sets
> >>> with replication enabled:
> >>> If there is at least one other Domain Controller in this
> >>> domain then restore the "system state" of this DC from backup (using
> >>> ntbackup or other backup-restore utility) and make it
> >>> non-authoritative.
> >>> If there are NO other Domain Controllers in this domain
> >>> then restore the "system state" of this DC from backup (using
> >>> ntbackup
> >>> or other backup-restore utility) and choose the Advanced option
> >>> which
> >>> marks the sysvols as primary.
> >>> If there are other Domain Controllers in this domain but
> >>> ALL of them have this event log message then restore one of them as
> >>> primary (data files from primary will replicate everywhere) and the
> >>> others as non-authoritative.
> >>> [3] For Active Directory Domain Services Domain
> >>> Controllers that host DFS alternates or other replica sets with
> >>> replication enabled:
> >>> (3-a) If the Dfs alternates on this DC do not have any
> >>> other replication partners then copy the data under that Dfs share
> >>> to
> >>> a safe location.
> >>> (3-b) If this server is the only Active Directory Domain
> >>> Services Domain Controller for this domain then, before going to
> >>> (3-c),  make sure this server does not have any inbound or outbound
> >>> connections to other servers that were formerly Domain Controllers
> >>> for
> >>> this domain but are now off the net (and will never be coming back
> >>> online) or have been fresh installed without being demoted. To
> >>> delete
> >>> connections use the Sites and Services snapin and look for
> >>> Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS
> >>> Settings->CONNECTIONS.
> >>>
> >>> (3-c) Restore the "system state" of this DC from backup (using
> >>> ntbackup or other backup-restore utility) and make it
> >>> non-authoritative.
> >>>
> >>> (3-d) Copy the data from step (3-a) above to the original location
> >>> after the sysvol share is published.
> >>>
> >>> [4] For other Windows servers:
> >>>
> >>> (4-a)  If any of the DFS alternates or other replica sets
> >>> hosted by this server do not have any other replication partners
> >>> then
> >>> copy the data under its share or replica tree root to a safe
> >>> location.
> >>> (4-b)  net stop ntfrs
> >>>
> >>> (4-c)  rd /s /q  c:\windows\ntfrs\jet
> >>>
> >>> (4-d)  net start ntfrs
> >>>
> >>> (4-e)  Copy the data from step (4-a) above to the
> >>> original location after the service has initialized (5 minutes is a
> >>> safe waiting time).
> >>> Note: If this error message is in the eventlog of all the
> >>> members of a particular replica set then perform steps (4-a) and
> >>> (4-e)
> >>> above on only one of the members.
> >>> ......................... server1 failed test FrsEvent
> >>>
> >>> Starting test: DFSREvent
> >>>
> >>> The DFS Replication Event Log. ......................... server1
> >>> passed test DFSREvent Starting test: SysVolCheck
> >>>
> >>> * The File Replication Service SYSVOL ready test
> >>> File Replication Service's SYSVOL is ready
> >>> ......................... server1 passed test SysVolCheck
> >>> Starting test: KccEvent
> >>> * The KCC Event log test
> >>> Found no KCC errors in "Directory Service" Event log in the
> >>> last 15
> >>> minutes.
> >>> ......................... server1 passed test KccEvent
> >>> Starting test: KnowsOfRoleHolders
> >>> Role Schema Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role Domain Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role PDC Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role Rid Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> Role Infrastructure Update Owner = CN=NTDS
> >>> Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
> >>> N=
> >>> Configuration,DC=domain,DC=dns
> >>> ......................... server1 passed test
> >>> KnowsOfRoleHolders

"Haji" <H***@discussions.microsoft.com> wrote in message
news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
> I've got a Windows 2008 box that was my only DC in my test network that is
> on
> some rather aged hardware.  I've built a new box to replace the old DC
> with,
> installed Server 2008 on it, added it to the domain, ran dcpromo, kicked
> it
> up to a GC, and transfered the FSMO roles over to it.  However, when I run
> dcpromo on the old box that I'm wanting to retire, I get the following
> message:
>
> "You did not indicate that this Active Directory domain controller is the
> last domain controller for the domain test.dns. However, no other Active
> Directory domain controllers for that domain can be contacted."
>
> I've also noticed that when the old box is powered down, none of my test
> workstations can map a drive to the new server, due to an authentication
> failure.  The ID that the server is logged into is an enterprise admin ID,
> and this is a single domain setup (no child domains in the forrest).  Both
> the forrest and the domain are at 2008 functional level.  Each server has
> DNS
> installed and is AD Integrated.  Each server points to the other for DNS
> primary, and itself for secondary.
>
> I'm sure there is more information that is needed that I haven't provided,
> just let me know what you need and I'll post it, but if anyone can help me
> out, I'd really like to learn what this issue is and how to fix it.

"Paul Bergson [MVP-DS]" wrote:

> Sounds to me like you haven't made the new box a GC or not a DNS server.
>
> Start by posting both boxes ip configuration details.  From a command prompt
> on both dc's run the following:
>
> ipconfig /all
>
> Next from each DC at a command prompt run the following and post:
> nltest /server:<servername> /dsgetdc:<domainname>
>
> Note: Feel free to modify the output, so as not to disclose any valuable
> information.  Such as changing the the first couple of octets on your ip
> addresses, but please be consistent (192.168. is a good replacement value).
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Haji" <H***@discussions.microsoft.com> wrote in message
> news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
> > I've got a Windows 2008 box that was my only DC in my test network that is
> > on
> > some rather aged hardware.  I've built a new box to replace the old DC
> > with,
> > installed Server 2008 on it, added it to the domain, ran dcpromo, kicked
> > it
> > up to a GC, and transfered the FSMO roles over to it.  However, when I run
> > dcpromo on the old box that I'm wanting to retire, I get the following
> > message:
> >
> > "You did not indicate that this Active Directory domain controller is the
> > last domain controller for the domain test.dns. However, no other Active
> > Directory domain controllers for that domain can be contacted."
> >
> > I've also noticed that when the old box is powered down, none of my test
> > workstations can map a drive to the new server, due to an authentication
> > failure.  The ID that the server is logged into is an enterprise admin ID,
> > and this is a single domain setup (no child domains in the forrest).  Both
> > the forrest and the domain are at 2008 functional level.  Each server has
> > DNS
> > installed and is AD Integrated.  Each server points to the other for DNS
> > primary, and itself for secondary.
> >
> > I'm sure there is more information that is needed that I haven't provided,
> > just let me know what you need and I'll post it, but if anyone can help me
> > out, I'd really like to learn what this issue is and how to fix it.
>
>
>

"Haji" <H***@discussions.microsoft.com> wrote in message news:50197C4B-1DCC-4AB1-B8B7-DB06D2B5F6A7@microsoft.com...
> In Active Directory Sites and Services, both Server1 and Server 2 are listed
> as IP Bridgeheads, and both are GC's.  Both servers have Active Directory
> integrated DNS running on them.
>
> Windows IP Configuration
>
>   Host Hame . . . . . . . . . . . . : server2
>   Primary Dns Suffix  . . . . . . . : domain.dns
>   Node Type . . . . . . . . . . . . : Hybrid
>   IP Routing Enabled. . . . . . . . : No
>   WINS Proxy Enabled. . . . . . . . : No
>   DNS Suffix Search List. . . . . . : domain.dns
>
> Ethernet adapter Local Area Connection:
>
>   Connection-specific DNS Suffix  . : domain.dns
>   Description . . . . . . . . . . . : TEAM : Team #0
>   Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
>   DHCP Enabled. . . . . . . . . . . : No
>   Autoconfiguration Enabled . . . . : Yes
>   IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
>   Subnet Mask . . . . . . . . . . . : 255.255.255.0
>   Default Gateway . . . . . . . . . : 192.168.1.1
>   DNS Servers . . . . . . . . . . . : 192.168.1.51
>                                              192.168.1.9
>   Primary WINS Server . . . . . . . : 192.168.1.9
>   Secondary WINS Server . . . . . . : 192.168.1.51
>   NetBIOS over Tcpip. . . . . . . . : Enabled
>
> nltest /server:server2 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
>
>
>
> Windows IP Configuration
>
>   Host Hame . . . . . . . . . . . . : server1
>   Primary Dns Suffix  . . . . . . . : domain.dns
>   Node Type . . . . . . . . . . . . : Hybrid
>   IP Routing Enabled. . . . . . . . : No
>   WINS Proxy Enabled. . . . . . . . : No
>   DNS Suffix Search List. . . . . . : domain.dns
>
> Ethernet adapter Local Area Connection:
>
>   Connection-specific DNS Suffix  . : domain.dns
>   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
>   Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
>   DHCP Enabled. . . . . . . . . . . : No
>   Autoconfiguration Enabled . . . . : Yes
>   IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
>   Subnet Mask . . . . . . . . . . . : 255.255.255.0
>   Default Gateway . . . . . . . . . : 192.168.1.1
>   DNS Servers . . . . . . . . . . . : 192.168.1.9
>                                              192.168.1.51
>   Primary WINS Server . . . . . . . : 192.168.1.51
>   Secondary WINS Server . . . . . . : 192.168.1.9
>   NetBIOS over Tcpip. . . . . . . . : Enabled
>
> nltest /server:server1 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
>

> In Active Directory Sites and Services, both Server1 and Server 2 are
> listed as IP Bridgeheads, and both are GC's.  Both servers have Active
> Directory integrated DNS running on them.
>
> Windows IP Configuration
>
> Host Hame . . . . . . . . . . . . : server2
> Primary Dns Suffix  . . . . . . . : domain.dns
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.dns
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix  . : domain.dns
> Description . . . . . . . . . . . : TEAM : Team #0
> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
> DNS Servers . . . . . . . . . . . : 192.168.1.51
> 192.168.1.9
> Primary WINS Server . . . . . . . : 192.168.1.9
> Secondary WINS Server . . . . . . : 192.168.1.51
> NetBIOS over Tcpip. . . . . . . . : Enabled
> nltest /server:server2 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
> Windows IP Configuration
>
> Host Hame . . . . . . . . . . . . : server1
> Primary Dns Suffix  . . . . . . . : domain.dns
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.dns
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix  . : domain.dns
> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> Connection
> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
> DNS Servers . . . . . . . . . . . : 192.168.1.9
> 192.168.1.51
> Primary WINS Server . . . . . . . : 192.168.1.51
> Secondary WINS Server . . . . . . : 192.168.1.9
> NetBIOS over Tcpip. . . . . . . . : Enabled
> nltest /server:server1 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
> "Paul Bergson [MVP-DS]" wrote:
>
>> Sounds to me like you haven't made the new box a GC or not a DNS
>> server.
>>
>> Start by posting both boxes ip configuration details.  From a command
>> prompt on both dc's run the following:
>>
>> ipconfig /all
>>
>> Next from each DC at a command prompt run the following and post:
>> nltest /server:<servername> /dsgetdc:<domainname>
>>
>> Note: Feel free to modify the output, so as not to disclose any
>> valuable information.  Such as changing the the first couple of
>> octets on your ip addresses, but please be consistent (192.168. is a
>> good replacement value).
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Haji" <H***@discussions.microsoft.com> wrote in message
>> news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
>>
>>> I've got a Windows 2008 box that was my only DC in my test network
>>> that is
>>> on
>>> some rather aged hardware.  I've built a new box to replace the old
>>> DC
>>> with,
>>> installed Server 2008 on it, added it to the domain, ran dcpromo,
>>> kicked
>>> it
>>> up to a GC, and transfered the FSMO roles over to it.  However, when
>>> I run
>>> dcpromo on the old box that I'm wanting to retire, I get the
>>> following
>>> message:
>>> "You did not indicate that this Active Directory domain controller
>>> is the last domain controller for the domain test.dns. However, no
>>> other Active Directory domain controllers for that domain can be
>>> contacted."
>>>
>>> I've also noticed that when the old box is powered down, none of my
>>> test
>>> workstations can map a drive to the new server, due to an
>>> authentication
>>> failure.  The ID that the server is logged into is an enterprise
>>> admin ID,
>>> and this is a single domain setup (no child domains in the forrest).
>>> Both
>>> the forrest and the domain are at 2008 functional level.  Each
>>> server has
>>> DNS
>>> installed and is AD Integrated.  Each server points to the other for
>>> DNS
>>> primary, and itself for secondary.
>>> I'm sure there is more information that is needed that I haven't
>>> provided, just let me know what you need and I'll post it, but if
>>> anyone can help me out, I'd really like to learn what this issue is
>>> and how to fix it.
>>>

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Please run:
> dnslint /ad /s "ip address of your dc"
>
> Therefore download and install:
> http://support.microsoft.com/kb/321045
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > In Active Directory Sites and Services, both Server1 and Server 2 are
> > listed as IP Bridgeheads, and both are GC's.  Both servers have Active
> > Directory integrated DNS running on them.
> >
> > Windows IP Configuration
> >
> > Host Hame . . . . . . . . . . . . : server2
> > Primary Dns Suffix  . . . . . . . : domain.dns
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : domain.dns
> > Ethernet adapter Local Area Connection:
> >
> > Connection-specific DNS Suffix  . : domain.dns
> > Description . . . . . . . . . . . : TEAM : Team #0
> > Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
> > DHCP Enabled. . . . . . . . . . . : No
> > Autoconfiguration Enabled . . . . : Yes
> > IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.1.1
> > DNS Servers . . . . . . . . . . . : 192.168.1.51
> > 192.168.1.9
> > Primary WINS Server . . . . . . . : 192.168.1.9
> > Secondary WINS Server . . . . . . : 192.168.1.51
> > NetBIOS over Tcpip. . . . . . . . : Enabled
> > nltest /server:server2 /dsgetdc:domain.dns
> >
> > DC: \\server1.domain.dns
> > Address: \\192.168.1.9
> > Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> > Dom Name: domain.dns
> > Forest Name: domain.dns
> > Dc Site Name: Default-First-Site-Name
> > Our Site Name: Default-First-Site-Name
> > Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> > CLOSE_SITE FULL SECRET
> > Windows IP Configuration
> >
> > Host Hame . . . . . . . . . . . . : server1
> > Primary Dns Suffix  . . . . . . . : domain.dns
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : domain.dns
> > Ethernet adapter Local Area Connection:
> >
> > Connection-specific DNS Suffix  . : domain.dns
> > Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> > Connection
> > Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
> > DHCP Enabled. . . . . . . . . . . : No
> > Autoconfiguration Enabled . . . . : Yes
> > IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.1.1
> > DNS Servers . . . . . . . . . . . : 192.168.1.9
> > 192.168.1.51
> > Primary WINS Server . . . . . . . : 192.168.1.51
> > Secondary WINS Server . . . . . . : 192.168.1.9
> > NetBIOS over Tcpip. . . . . . . . : Enabled
> > nltest /server:server1 /dsgetdc:domain.dns
> >
> > DC: \\server1.domain.dns
> > Address: \\192.168.1.9
> > Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> > Dom Name: domain.dns
> > Forest Name: domain.dns
> > Dc Site Name: Default-First-Site-Name
> > Our Site Name: Default-First-Site-Name
> > Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> > CLOSE_SITE FULL SECRET
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> Sounds to me like you haven't made the new box a GC or not a DNS
> >> server.
> >>
> >> Start by posting both boxes ip configuration details.  From a command
> >> prompt on both dc's run the following:
> >>
> >> ipconfig /all
> >>
> >> Next from each DC at a command prompt run the following and post:
> >> nltest /server:<servername> /dsgetdc:<domainname>
> >>
> >> Note: Feel free to modify the output, so as not to disclose any
> >> valuable information.  Such as changing the the first couple of
> >> octets on your ip addresses, but please be consistent (192.168. is a
> >> good replacement value).
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "Haji" <H***@discussions.microsoft.com> wrote in message
> >> news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
> >>
> >>> I've got a Windows 2008 box that was my only DC in my test network
> >>> that is
> >>> on
> >>> some rather aged hardware.  I've built a new box to replace the old
> >>> DC
> >>> with,
> >>> installed Server 2008 on it, added it to the domain, ran dcpromo,
> >>> kicked
> >>> it
> >>> up to a GC, and transfered the FSMO roles over to it.  However, when
> >>> I run
> >>> dcpromo on the old box that I'm wanting to retire, I get the
> >>> following
> >>> message:
> >>> "You did not indicate that this Active Directory domain controller
> >>> is the last domain controller for the domain test.dns. However, no
> >>> other Active Directory domain controllers for that domain can be
> >>> contacted."
> >>>
> >>> I've also noticed that when the old box is powered down, none of my
> >>> test
> >>> workstations can map a drive to the new server, due to an
> >>> authentication
> >>> failure.  The ID that the server is logged into is an enterprise
> >>> admin ID,
> >>> and this is a single domain setup (no child domains in the forrest).
> >>> Both
> >>> the forrest and the domain are at 2008 functional level.  Each
> >>> server has
> >>> DNS
> >>> installed and is AD Integrated.  Each server points to the other for
> >>> DNS
> >>> primary, and itself for secondary.
> >>> I'm sure there is more information that is needed that I haven't
> >>> provided, just let me know what you need and I'll post it, but if
> >>> anyone can help me out, I'd really like to learn what this issue is
> >>> and how to fix it.
> >>>
>
>
>

> From Server1:
>
> System Date: Mon Jul 06 08:05:37 2009
>
> Command run:
>
> dnslint /ad /s 192.168.1.9
>
> Root of Active Directory Forest:
>
> domain.dns
>
> Active Directory Forest Replication GUIDs Found:
>
> DC: server1
> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> DC: server2
> GUID: d963b078-1f27-4154-8436-870d19935efe
> Total GUIDs found: 2
>
> ----------------------------------------------------------------------
> ----------
>
> The following 2 DNS servers were checked for records related to AD
> forest replication:
>
> DNS server: server1.domain.dns
> IP Address: 192.168.1.9
> UDP port 53 responding to queries: YES
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: YES
> SOA record data from server:
> Authoritative name server: server1.domain.dns
> Hostmaster: hostmaster.domain.dns
> Zone serial number: 3
> Zone expires in: 1.00 day(s)
> Refresh period: 900 seconds
> Retry delay: 600 seconds
> Default (minimum) TTL: 3600 seconds
> Additional authoritative (NS) records from server:
> server1.domain.dns Unknown
> server2.domain.dns Unknown
> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> Alias: server1.domain.dns
> Glue: 192.168.1.9
> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> Alias: server2.domain.dns
> Glue: 192.168.1.51
> Total number of CNAME records found on this server: 2
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
>
> ----------------------------------------------------------------------
> ----------
>
> DNS server: server2.domain.dns
> IP Address: 192.168.1.51
> UDP port 53 responding to queries: YES
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: YES
> SOA record data from server:
> Authoritative name server: server2.domain.dns
> Hostmaster: hostmaster.domain.dns
> Zone serial number: 3
> Zone expires in: 1.00 day(s)
> Refresh period: 900 seconds
> Retry delay: 600 seconds
> Default (minimum) TTL: 3600 seconds
> Additional authoritative (NS) records from server:
> server2.domain.dns Unknown
> server1.domain.dns Unknown
> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> Alias: server1.domain.dns
> Glue: 192.168.1.9
> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> Alias: server2.domain.dns
> Glue: 192.168.1.51
> Total number of CNAME records found on this server: 2
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
>
> From Server2:
>
> System Date: Mon Jul 06 07:58:43 2009
>
> Command run:
>
> dnslint /ad /s 192.168.1.51
>
> Root of Active Directory Forest:
>
> domain.dns
>
> Active Directory Forest Replication GUIDs Found:
>
> DC: SERVER1
> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> DC: SERVER2
> GUID: d963b078-1f27-4154-8436-870d19935efe
> Total GUIDs found: 2
>
> ----------------------------------------------------------------------
> ----------
>
> The following 2 DNS servers were checked for records related to AD
> forest replication:
>
> DNS server: server2.domain.dns
> IP Address: 192.168.1.51
> UDP port 53 responding to queries: YES
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: YES
> SOA record data from server:
> Authoritative name server: server2.domain.dns
> Hostmaster: hostmaster.domain.dns
> Zone serial number: 3
> Zone expires in: 1.00 day(s)
> Refresh period: 900 seconds
> Retry delay: 600 seconds
> Default (minimum) TTL: 3600 seconds
> Additional authoritative (NS) records from server:
> server1.domain.dns Unknown
> server2.domain.dns Unknown
> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> Alias: server1.domain.dns
> Glue: 192.168.1.9
> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> Alias: server2.domain.dns
> Glue: 192.168.1.51
> Total number of CNAME records found on this server: 2
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
>
> ----------------------------------------------------------------------
> ----------
>
> DNS server: server1.domain.dns
> IP Address: 192.168.1.9
> UDP port 53 responding to queries: YES
> TCP port 53 responding to queries: Not tested
> Answering authoritatively for domain: YES
> SOA record data from server:
> Authoritative name server: server1.domain.dns
> Hostmaster: hostmaster.domain.dns
> Zone serial number: 3
> Zone expires in: 1.00 day(s)
> Refresh period: 900 seconds
> Retry delay: 600 seconds
> Default (minimum) TTL: 3600 seconds
> Additional authoritative (NS) records from server:
> server2.domain.dns Unknown
> server1.domain.dns Unknown
> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> Alias: server1.domain.dns
> Glue: 192.168.1.9
> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> Alias: server2.domain.dns
> Glue: 192.168.1.51
> Total number of CNAME records found on this server: 2
>
> Total number of CNAME records missing on this server: 0
>
> Total number of glue (A) records this server could not find: 0
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Please run:
>> dnslint /ad /s "ip address of your dc"
>> Therefore download and install:
>> http://support.microsoft.com/kb/321045
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> In Active Directory Sites and Services, both Server1 and Server 2
>>> are listed as IP Bridgeheads, and both are GC's.  Both servers have
>>> Active Directory integrated DNS running on them.
>>>
>>> Windows IP Configuration
>>>
>>> Host Hame . . . . . . . . . . . . : server2
>>> Primary Dns Suffix  . . . . . . . : domain.dns
>>> Node Type . . . . . . . . . . . . : Hybrid
>>> IP Routing Enabled. . . . . . . . : No
>>> WINS Proxy Enabled. . . . . . . . : No
>>> DNS Suffix Search List. . . . . . : domain.dns
>>> Ethernet adapter Local Area Connection:
>>> Connection-specific DNS Suffix  . : domain.dns
>>> Description . . . . . . . . . . . : TEAM : Team #0
>>> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
>>> DHCP Enabled. . . . . . . . . . . : No
>>> Autoconfiguration Enabled . . . . : Yes
>>> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>> Default Gateway . . . . . . . . . : 192.168.1.1
>>> DNS Servers . . . . . . . . . . . : 192.168.1.51
>>> 192.168.1.9
>>> Primary WINS Server . . . . . . . : 192.168.1.9
>>> Secondary WINS Server . . . . . . : 192.168.1.51
>>> NetBIOS over Tcpip. . . . . . . . : Enabled
>>> nltest /server:server2 /dsgetdc:domain.dns
>>> DC: \\server1.domain.dns
>>> Address: \\192.168.1.9
>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
>>> Dom Name: domain.dns
>>> Forest Name: domain.dns
>>> Dc Site Name: Default-First-Site-Name
>>> Our Site Name: Default-First-Site-Name
>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
>>> CLOSE_SITE FULL SECRET
>>> Windows IP Configuration
>>> Host Hame . . . . . . . . . . . . : server1
>>> Primary Dns Suffix  . . . . . . . : domain.dns
>>> Node Type . . . . . . . . . . . . : Hybrid
>>> IP Routing Enabled. . . . . . . . : No
>>> WINS Proxy Enabled. . . . . . . . : No
>>> DNS Suffix Search List. . . . . . : domain.dns
>>> Ethernet adapter Local Area Connection:
>>> Connection-specific DNS Suffix  . : domain.dns
>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
>>> Connection
>>> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
>>> DHCP Enabled. . . . . . . . . . . : No
>>> Autoconfiguration Enabled . . . . : Yes
>>> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>> Default Gateway . . . . . . . . . : 192.168.1.1
>>> DNS Servers . . . . . . . . . . . : 192.168.1.9
>>> 192.168.1.51
>>> Primary WINS Server . . . . . . . : 192.168.1.51
>>> Secondary WINS Server . . . . . . : 192.168.1.9
>>> NetBIOS over Tcpip. . . . . . . . : Enabled
>>> nltest /server:server1 /dsgetdc:domain.dns
>>> DC: \\server1.domain.dns
>>> Address: \\192.168.1.9
>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
>>> Dom Name: domain.dns
>>> Forest Name: domain.dns
>>> Dc Site Name: Default-First-Site-Name
>>> Our Site Name: Default-First-Site-Name
>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
>>> CLOSE_SITE FULL SECRET
>>> "Paul Bergson [MVP-DS]" wrote:
>>>> Sounds to me like you haven't made the new box a GC or not a DNS
>>>> server.
>>>>
>>>> Start by posting both boxes ip configuration details.  From a
>>>> command prompt on both dc's run the following:
>>>>
>>>> ipconfig /all
>>>>
>>>> Next from each DC at a command prompt run the following and post:
>>>> nltest /server:<servername> /dsgetdc:<domainname>
>>>>
>>>> Note: Feel free to modify the output, so as not to disclose any
>>>> valuable information.  Such as changing the the first couple of
>>>> octets on your ip addresses, but please be consistent (192.168. is
>>>> a good replacement value).
>>>>
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>> http://www.pbbergs.com
>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>> "Haji" <H***@discussions.microsoft.com> wrote in message
>>>> news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
>>>>
>>>>> I've got a Windows 2008 box that was my only DC in my test network
>>>>> that is
>>>>> on
>>>>> some rather aged hardware.  I've built a new box to replace the
>>>>> old
>>>>> DC
>>>>> with,
>>>>> installed Server 2008 on it, added it to the domain, ran dcpromo,
>>>>> kicked
>>>>> it
>>>>> up to a GC, and transfered the FSMO roles over to it.  However,
>>>>> when
>>>>> I run
>>>>> dcpromo on the old box that I'm wanting to retire, I get the
>>>>> following
>>>>> message:
>>>>> "You did not indicate that this Active Directory domain controller
>>>>> is the last domain controller for the domain test.dns. However, no
>>>>> other Active Directory domain controllers for that domain can be
>>>>> contacted."
>>>>> I've also noticed that when the old box is powered down, none of
>>>>> my
>>>>> test
>>>>> workstations can map a drive to the new server, due to an
>>>>> authentication
>>>>> failure.  The ID that the server is logged into is an enterprise
>>>>> admin ID,
>>>>> and this is a single domain setup (no child domains in the
>>>>> forrest).
>>>>> Both
>>>>> the forrest and the domain are at 2008 functional level.  Each
>>>>> server has
>>>>> DNS
>>>>> installed and is AD Integrated.  Each server points to the other
>>>>> for
>>>>> DNS
>>>>> primary, and itself for secondary.
>>>>> I'm sure there is more information that is needed that I haven't
>>>>> provided, just let me know what you need and I'll post it, but if
>>>>> anyone can help me out, I'd really like to learn what this issue
>>>>> is
>>>>> and how to fix it.

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Did you change the ip address to UNKNOWN in this lines:
>
> Additional authoritative (NS) records from server:
> server1.domain.dns Unknown
> server2.domain.dns Unknown
>
> Your domain name is ending with .dns, or is this just a placeholder?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > From Server1:
> >
> > System Date: Mon Jul 06 08:05:37 2009
> >
> > Command run:
> >
> > dnslint /ad /s 192.168.1.9
> >
> > Root of Active Directory Forest:
> >
> > domain.dns
> >
> > Active Directory Forest Replication GUIDs Found:
> >
> > DC: server1
> > GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> > DC: server2
> > GUID: d963b078-1f27-4154-8436-870d19935efe
> > Total GUIDs found: 2
> >
> > ----------------------------------------------------------------------
> > ----------
> >
> > The following 2 DNS servers were checked for records related to AD
> > forest replication:
> >
> > DNS server: server1.domain.dns
> > IP Address: 192.168.1.9
> > UDP port 53 responding to queries: YES
> > TCP port 53 responding to queries: Not tested
> > Answering authoritatively for domain: YES
> > SOA record data from server:
> > Authoritative name server: server1.domain.dns
> > Hostmaster: hostmaster.domain.dns
> > Zone serial number: 3
> > Zone expires in: 1.00 day(s)
> > Refresh period: 900 seconds
> > Retry delay: 600 seconds
> > Default (minimum) TTL: 3600 seconds
> > Additional authoritative (NS) records from server:
> > server1.domain.dns Unknown
> > server2.domain.dns Unknown
> > Alias (CNAME) and glue (A) records for forest GUIDs from server:
> > CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> > Alias: server1.domain.dns
> > Glue: 192.168.1.9
> > CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> > Alias: server2.domain.dns
> > Glue: 192.168.1.51
> > Total number of CNAME records found on this server: 2
> >
> > Total number of CNAME records missing on this server: 0
> >
> > Total number of glue (A) records this server could not find: 0
> >
> > ----------------------------------------------------------------------
> > ----------
> >
> > DNS server: server2.domain.dns
> > IP Address: 192.168.1.51
> > UDP port 53 responding to queries: YES
> > TCP port 53 responding to queries: Not tested
> > Answering authoritatively for domain: YES
> > SOA record data from server:
> > Authoritative name server: server2.domain.dns
> > Hostmaster: hostmaster.domain.dns
> > Zone serial number: 3
> > Zone expires in: 1.00 day(s)
> > Refresh period: 900 seconds
> > Retry delay: 600 seconds
> > Default (minimum) TTL: 3600 seconds
> > Additional authoritative (NS) records from server:
> > server2.domain.dns Unknown
> > server1.domain.dns Unknown
> > Alias (CNAME) and glue (A) records for forest GUIDs from server:
> > CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> > Alias: server1.domain.dns
> > Glue: 192.168.1.9
> > CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> > Alias: server2.domain.dns
> > Glue: 192.168.1.51
> > Total number of CNAME records found on this server: 2
> >
> > Total number of CNAME records missing on this server: 0
> >
> > Total number of glue (A) records this server could not find: 0
> >
> > From Server2:
> >
> > System Date: Mon Jul 06 07:58:43 2009
> >
> > Command run:
> >
> > dnslint /ad /s 192.168.1.51
> >
> > Root of Active Directory Forest:
> >
> > domain.dns
> >
> > Active Directory Forest Replication GUIDs Found:
> >
> > DC: SERVER1
> > GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> > DC: SERVER2
> > GUID: d963b078-1f27-4154-8436-870d19935efe
> > Total GUIDs found: 2
> >
> > ----------------------------------------------------------------------
> > ----------
> >
> > The following 2 DNS servers were checked for records related to AD
> > forest replication:
> >
> > DNS server: server2.domain.dns
> > IP Address: 192.168.1.51
> > UDP port 53 responding to queries: YES
> > TCP port 53 responding to queries: Not tested
> > Answering authoritatively for domain: YES
> > SOA record data from server:
> > Authoritative name server: server2.domain.dns
> > Hostmaster: hostmaster.domain.dns
> > Zone serial number: 3
> > Zone expires in: 1.00 day(s)
> > Refresh period: 900 seconds
> > Retry delay: 600 seconds
> > Default (minimum) TTL: 3600 seconds
> > Additional authoritative (NS) records from server:
> > server1.domain.dns Unknown
> > server2.domain.dns Unknown
> > Alias (CNAME) and glue (A) records for forest GUIDs from server:
> > CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> > Alias: server1.domain.dns
> > Glue: 192.168.1.9
> > CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> > Alias: server2.domain.dns
> > Glue: 192.168.1.51
> > Total number of CNAME records found on this server: 2
> >
> > Total number of CNAME records missing on this server: 0
> >
> > Total number of glue (A) records this server could not find: 0
> >
> > ----------------------------------------------------------------------
> > ----------
> >
> > DNS server: server1.domain.dns
> > IP Address: 192.168.1.9
> > UDP port 53 responding to queries: YES
> > TCP port 53 responding to queries: Not tested
> > Answering authoritatively for domain: YES
> > SOA record data from server:
> > Authoritative name server: server1.domain.dns
> > Hostmaster: hostmaster.domain.dns
> > Zone serial number: 3
> > Zone expires in: 1.00 day(s)
> > Refresh period: 900 seconds
> > Retry delay: 600 seconds
> > Default (minimum) TTL: 3600 seconds
> > Additional authoritative (NS) records from server:
> > server2.domain.dns Unknown
> > server1.domain.dns Unknown
> > Alias (CNAME) and glue (A) records for forest GUIDs from server:
> > CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> > Alias: server1.domain.dns
> > Glue: 192.168.1.9
> > CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> > Alias: server2.domain.dns
> > Glue: 192.168.1.51
> > Total number of CNAME records found on this server: 2
> >
> > Total number of CNAME records missing on this server: 0
> >
> > Total number of glue (A) records this server could not find: 0
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Haji,
> >>
> >> Please run:
> >> dnslint /ad /s "ip address of your dc"
> >> Therefore download and install:
> >> http://support.microsoft.com/kb/321045
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> In Active Directory Sites and Services, both Server1 and Server 2
> >>> are listed as IP Bridgeheads, and both are GC's.  Both servers have
> >>> Active Directory integrated DNS running on them.
> >>>
> >>> Windows IP Configuration
> >>>
> >>> Host Hame . . . . . . . . . . . . : server2
> >>> Primary Dns Suffix  . . . . . . . : domain.dns
> >>> Node Type . . . . . . . . . . . . : Hybrid
> >>> IP Routing Enabled. . . . . . . . : No
> >>> WINS Proxy Enabled. . . . . . . . : No
> >>> DNS Suffix Search List. . . . . . : domain.dns
> >>> Ethernet adapter Local Area Connection:
> >>> Connection-specific DNS Suffix  . : domain.dns
> >>> Description . . . . . . . . . . . : TEAM : Team #0
> >>> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
> >>> DHCP Enabled. . . . . . . . . . . : No
> >>> Autoconfiguration Enabled . . . . : Yes
> >>> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
> >>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >>> Default Gateway . . . . . . . . . : 192.168.1.1
> >>> DNS Servers . . . . . . . . . . . : 192.168.1.51
> >>> 192.168.1.9
> >>> Primary WINS Server . . . . . . . : 192.168.1.9
> >>> Secondary WINS Server . . . . . . : 192.168.1.51
> >>> NetBIOS over Tcpip. . . . . . . . : Enabled
> >>> nltest /server:server2 /dsgetdc:domain.dns
> >>> DC: \\server1.domain.dns
> >>> Address: \\192.168.1.9
> >>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> >>> Dom Name: domain.dns
> >>> Forest Name: domain.dns
> >>> Dc Site Name: Default-First-Site-Name
> >>> Our Site Name: Default-First-Site-Name
> >>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> >>> CLOSE_SITE FULL SECRET
> >>> Windows IP Configuration
> >>> Host Hame . . . . . . . . . . . . : server1
> >>> Primary Dns Suffix  . . . . . . . : domain.dns
> >>> Node Type . . . . . . . . . . . . : Hybrid
> >>> IP Routing Enabled. . . . . . . . : No
> >>> WINS Proxy Enabled. . . . . . . . : No
> >>> DNS Suffix Search List. . . . . . : domain.dns
> >>> Ethernet adapter Local Area Connection:
> >>> Connection-specific DNS Suffix  . : domain.dns
> >>> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> >>> Connection
> >>> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
> >>> DHCP Enabled. . . . . . . . . . . : No
> >>> Autoconfiguration Enabled . . . . : Yes
> >>> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
> >>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >>> Default Gateway . . . . . . . . . : 192.168.1.1
> >>> DNS Servers . . . . . . . . . . . : 192.168.1.9
> >>> 192.168.1.51
> >>> Primary WINS Server . . . . . . . : 192.168.1.51
> >>> Secondary WINS Server . . . . . . : 192.168.1.9
> >>> NetBIOS over Tcpip. . . . . . . . : Enabled
> >>> nltest /server:server1 /dsgetdc:domain.dns
> >>> DC: \\server1.domain.dns
> >>> Address: \\192.168.1.9
> >>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> >>> Dom Name: domain.dns
> >>> Forest Name: domain.dns
> >>> Dc Site Name: Default-First-Site-Name
> >>> Our Site Name: Default-First-Site-Name
> >>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> >>> CLOSE_SITE FULL SECRET
> >>> "Paul Bergson [MVP-DS]" wrote:
> >>>> Sounds to me like you haven't made the new box a GC or not a DNS
> >>>> server.
> >>>>
> >>>> Start by posting both boxes ip configuration details.  From a
> >>>> command prompt on both dc's run the following:
> >>>>
> >>>> ipconfig /all
> >>>>
> >>>> Next from each DC at a command prompt run the following and post:
> >>>> nltest /server:<servername> /dsgetdc:<domainname>
> >>>>
> >>>> Note: Feel free to modify the output, so as not to disclose any
> >>>> valuable information.  Such as changing the the first couple of
> >>>> octets on your ip addresses, but please be consistent (192.168. is
> >>>> a good replacement value).
> >>>>
> >>>> --
> >>>> Paul Bergson
> >>>> MVP - Directory Services
> >>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >>>> 2008, 2003, 2000 (Early Achiever), NT4
> >>>> http://www.pbbergs.com

> No, I didn't change the IP addresses to Unknown.
>
> Yes, my domain ends in .dns
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Haji,
>>
>> Did you change the ip address to UNKNOWN in this lines:
>>
>> Additional authoritative (NS) records from server:
>> server1.domain.dns Unknown
>> server2.domain.dns Unknown
>> Your domain name is ending with .dns, or is this just a placeholder?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> From Server1:
>>>
>>> System Date: Mon Jul 06 08:05:37 2009
>>>
>>> Command run:
>>>
>>> dnslint /ad /s 192.168.1.9
>>>
>>> Root of Active Directory Forest:
>>>
>>> domain.dns
>>>
>>> Active Directory Forest Replication GUIDs Found:
>>>
>>> DC: server1
>>> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>>> DC: server2
>>> GUID: d963b078-1f27-4154-8436-870d19935efe
>>> Total GUIDs found: 2
>>> --------------------------------------------------------------------
>>> -- ----------
>>>
>>> The following 2 DNS servers were checked for records related to AD
>>> forest replication:
>>>
>>> DNS server: server1.domain.dns
>>> IP Address: 192.168.1.9
>>> UDP port 53 responding to queries: YES
>>> TCP port 53 responding to queries: Not tested
>>> Answering authoritatively for domain: YES
>>> SOA record data from server:
>>> Authoritative name server: server1.domain.dns
>>> Hostmaster: hostmaster.domain.dns
>>> Zone serial number: 3
>>> Zone expires in: 1.00 day(s)
>>> Refresh period: 900 seconds
>>> Retry delay: 600 seconds
>>> Default (minimum) TTL: 3600 seconds
>>> Additional authoritative (NS) records from server:
>>> server1.domain.dns Unknown
>>> server2.domain.dns Unknown
>>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
>>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
>>> Alias: server1.domain.dns
>>> Glue: 192.168.1.9
>>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
>>> Alias: server2.domain.dns
>>> Glue: 192.168.1.51
>>> Total number of CNAME records found on this server: 2
>>> Total number of CNAME records missing on this server: 0
>>>
>>> Total number of glue (A) records this server could not find: 0
>>>
>>> --------------------------------------------------------------------
>>> -- ----------
>>>
>>> DNS server: server2.domain.dns
>>> IP Address: 192.168.1.51
>>> UDP port 53 responding to queries: YES
>>> TCP port 53 responding to queries: Not tested
>>> Answering authoritatively for domain: YES
>>> SOA record data from server:
>>> Authoritative name server: server2.domain.dns
>>> Hostmaster: hostmaster.domain.dns
>>> Zone serial number: 3
>>> Zone expires in: 1.00 day(s)
>>> Refresh period: 900 seconds
>>> Retry delay: 600 seconds
>>> Default (minimum) TTL: 3600 seconds
>>> Additional authoritative (NS) records from server:
>>> server2.domain.dns Unknown
>>> server1.domain.dns Unknown
>>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
>>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
>>> Alias: server1.domain.dns
>>> Glue: 192.168.1.9
>>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
>>> Alias: server2.domain.dns
>>> Glue: 192.168.1.51
>>> Total number of CNAME records found on this server: 2
>>> Total number of CNAME records missing on this server: 0
>>>
>>> Total number of glue (A) records this server could not find: 0
>>>
>>> From Server2:
>>>
>>> System Date: Mon Jul 06 07:58:43 2009
>>>
>>> Command run:
>>>
>>> dnslint /ad /s 192.168.1.51
>>>
>>> Root of Active Directory Forest:
>>>
>>> domain.dns
>>>
>>> Active Directory Forest Replication GUIDs Found:
>>>
>>> DC: SERVER1
>>> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
>>> DC: SERVER2
>>> GUID: d963b078-1f27-4154-8436-870d19935efe
>>> Total GUIDs found: 2
>>> --------------------------------------------------------------------
>>> -- ----------
>>>
>>> The following 2 DNS servers were checked for records related to AD
>>> forest replication:
>>>
>>> DNS server: server2.domain.dns
>>> IP Address: 192.168.1.51
>>> UDP port 53 responding to queries: YES
>>> TCP port 53 responding to queries: Not tested
>>> Answering authoritatively for domain: YES
>>> SOA record data from server:
>>> Authoritative name server: server2.domain.dns
>>> Hostmaster: hostmaster.domain.dns
>>> Zone serial number: 3
>>> Zone expires in: 1.00 day(s)
>>> Refresh period: 900 seconds
>>> Retry delay: 600 seconds
>>> Default (minimum) TTL: 3600 seconds
>>> Additional authoritative (NS) records from server:
>>> server1.domain.dns Unknown
>>> server2.domain.dns Unknown
>>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
>>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
>>> Alias: server1.domain.dns
>>> Glue: 192.168.1.9
>>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
>>> Alias: server2.domain.dns
>>> Glue: 192.168.1.51
>>> Total number of CNAME records found on this server: 2
>>> Total number of CNAME records missing on this server: 0
>>>
>>> Total number of glue (A) records this server could not find: 0
>>>
>>> --------------------------------------------------------------------
>>> -- ----------
>>>
>>> DNS server: server1.domain.dns
>>> IP Address: 192.168.1.9
>>> UDP port 53 responding to queries: YES
>>> TCP port 53 responding to queries: Not tested
>>> Answering authoritatively for domain: YES
>>> SOA record data from server:
>>> Authoritative name server: server1.domain.dns
>>> Hostmaster: hostmaster.domain.dns
>>> Zone serial number: 3
>>> Zone expires in: 1.00 day(s)
>>> Refresh period: 900 seconds
>>> Retry delay: 600 seconds
>>> Default (minimum) TTL: 3600 seconds
>>> Additional authoritative (NS) records from server:
>>> server2.domain.dns Unknown
>>> server1.domain.dns Unknown
>>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
>>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
>>> Alias: server1.domain.dns
>>> Glue: 192.168.1.9
>>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
>>> Alias: server2.domain.dns
>>> Glue: 192.168.1.51
>>> Total number of CNAME records found on this server: 2
>>> Total number of CNAME records missing on this server: 0
>>>
>>> Total number of glue (A) records this server could not find: 0
>>>
>>> "Meinolf Weber [MVP-DS]" wrote:
>>>
>>>> Hello Haji,
>>>>
>>>> Please run:
>>>> dnslint /ad /s "ip address of your dc"
>>>> Therefore download and install:
>>>> http://support.microsoft.com/kb/321045
>>>> Best regards
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> In Active Directory Sites and Services, both Server1 and Server 2
>>>>> are listed as IP Bridgeheads, and both are GC's.  Both servers
>>>>> have Active Directory integrated DNS running on them.
>>>>>
>>>>> Windows IP Configuration
>>>>>
>>>>> Host Hame . . . . . . . . . . . . : server2
>>>>> Primary Dns Suffix  . . . . . . . : domain.dns
>>>>> Node Type . . . . . . . . . . . . : Hybrid
>>>>> IP Routing Enabled. . . . . . . . : No
>>>>> WINS Proxy Enabled. . . . . . . . : No
>>>>> DNS Suffix Search List. . . . . . : domain.dns
>>>>> Ethernet adapter Local Area Connection:
>>>>> Connection-specific DNS Suffix  . : domain.dns
>>>>> Description . . . . . . . . . . . : TEAM : Team #0
>>>>> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>> Autoconfiguration Enabled . . . . : Yes
>>>>> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>> Default Gateway . . . . . . . . . : 192.168.1.1
>>>>> DNS Servers . . . . . . . . . . . : 192.168.1.51
>>>>> 192.168.1.9
>>>>> Primary WINS Server . . . . . . . : 192.168.1.9
>>>>> Secondary WINS Server . . . . . . : 192.168.1.51
>>>>> NetBIOS over Tcpip. . . . . . . . : Enabled
>>>>> nltest /server:server2 /dsgetdc:domain.dns
>>>>> DC: \\server1.domain.dns
>>>>> Address: \\192.168.1.9
>>>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
>>>>> Dom Name: domain.dns
>>>>> Forest Name: domain.dns
>>>>> Dc Site Name: Default-First-Site-Name
>>>>> Our Site Name: Default-First-Site-Name
>>>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
>>>>> DNS_FOREST
>>>>> CLOSE_SITE FULL SECRET
>>>>> Windows IP Configuration
>>>>> Host Hame . . . . . . . . . . . . : server1
>>>>> Primary Dns Suffix  . . . . . . . : domain.dns
>>>>> Node Type . . . . . . . . . . . . : Hybrid
>>>>> IP Routing Enabled. . . . . . . . : No
>>>>> WINS Proxy Enabled. . . . . . . . : No
>>>>> DNS Suffix Search List. . . . . . : domain.dns
>>>>> Ethernet adapter Local Area Connection:
>>>>> Connection-specific DNS Suffix  . : domain.dns
>>>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
>>>>> Connection
>>>>> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>> Autoconfiguration Enabled . . . . : Yes
>>>>> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>> Default Gateway . . . . . . . . . : 192.168.1.1
>>>>> DNS Servers . . . . . . . . . . . : 192.168.1.9
>>>>> 192.168.1.51
>>>>> Primary WINS Server . . . . . . . : 192.168.1.51
>>>>> Secondary WINS Server . . . . . . : 192.168.1.9
>>>>> NetBIOS over Tcpip. . . . . . . . : Enabled
>>>>> nltest /server:server1 /dsgetdc:domain.dns
>>>>> DC: \\server1.domain.dns
>>>>> Address: \\192.168.1.9
>>>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
>>>>> Dom Name: domain.dns
>>>>> Forest Name: domain.dns
>>>>> Dc Site Name: Default-First-Site-Name
>>>>> Our Site Name: Default-First-Site-Name
>>>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
>>>>> DNS_FOREST
>>>>> CLOSE_SITE FULL SECRET
>>>>> "Paul Bergson [MVP-DS]" wrote:
>>>>>> Sounds to me like you haven't made the new box a GC or not a DNS
>>>>>> server.
>>>>>>
>>>>>> Start by posting both boxes ip configuration details.  From a
>>>>>> command prompt on both dc's run the following:
>>>>>>
>>>>>> ipconfig /all
>>>>>>
>>>>>> Next from each DC at a command prompt run the following and post:
>>>>>> nltest /server:<servername> /dsgetdc:<domainname>
>>>>>>
>>>>>> Note: Feel free to modify the output, so as not to disclose any
>>>>>> valuable information.  Such as changing the the first couple of
>>>>>> octets on your ip addresses, but please be consistent (192.168.
>>>>>> is a good replacement value).
>>>>>>
>>>>>> --
>>>>>> Paul Bergson
>>>>>> MVP - Directory Services
>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>> http://www.pbbergs.com

"Meinolf Weber [MVP-DS]" wrote:

> Hello Haji,
>
> Did you follow the adivce/questions form Ace and made the chagnes regarding
> WINS? Also strange is that "Unknown" is listed instead of the ip address.
>
> Please check in the DNS zones, do you have _msdcs.domain.dns and domain.dns
> listed?
>
> Are included in domain.dns _msdcs, _sites, _tcp, _udp, DomainDNSzones and
> ForestDNSzones with additional folders in the structure?
>
> Are all DCs listed with _ldap and _kerberos listed and Global Catalog servers
> with _gc depending on the different fodlers?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > No, I didn't change the IP addresses to Unknown.
> >
> > Yes, my domain ends in .dns
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Haji,
> >>
> >> Did you change the ip address to UNKNOWN in this lines:
> >>
> >> Additional authoritative (NS) records from server:
> >> server1.domain.dns Unknown
> >> server2.domain.dns Unknown
> >> Your domain name is ending with .dns, or is this just a placeholder?
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> From Server1:
> >>>
> >>> System Date: Mon Jul 06 08:05:37 2009
> >>>
> >>> Command run:
> >>>
> >>> dnslint /ad /s 192.168.1.9
> >>>
> >>> Root of Active Directory Forest:
> >>>
> >>> domain.dns
> >>>
> >>> Active Directory Forest Replication GUIDs Found:
> >>>
> >>> DC: server1
> >>> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> >>> DC: server2
> >>> GUID: d963b078-1f27-4154-8436-870d19935efe
> >>> Total GUIDs found: 2
> >>> --------------------------------------------------------------------
> >>> -- ----------
> >>>
> >>> The following 2 DNS servers were checked for records related to AD
> >>> forest replication:
> >>>
> >>> DNS server: server1.domain.dns
> >>> IP Address: 192.168.1.9
> >>> UDP port 53 responding to queries: YES
> >>> TCP port 53 responding to queries: Not tested
> >>> Answering authoritatively for domain: YES
> >>> SOA record data from server:
> >>> Authoritative name server: server1.domain.dns
> >>> Hostmaster: hostmaster.domain.dns
> >>> Zone serial number: 3
> >>> Zone expires in: 1.00 day(s)
> >>> Refresh period: 900 seconds
> >>> Retry delay: 600 seconds
> >>> Default (minimum) TTL: 3600 seconds
> >>> Additional authoritative (NS) records from server:
> >>> server1.domain.dns Unknown
> >>> server2.domain.dns Unknown
> >>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> >>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> >>> Alias: server1.domain.dns
> >>> Glue: 192.168.1.9
> >>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> >>> Alias: server2.domain.dns
> >>> Glue: 192.168.1.51
> >>> Total number of CNAME records found on this server: 2
> >>> Total number of CNAME records missing on this server: 0
> >>>
> >>> Total number of glue (A) records this server could not find: 0
> >>>
> >>> --------------------------------------------------------------------
> >>> -- ----------
> >>>
> >>> DNS server: server2.domain.dns
> >>> IP Address: 192.168.1.51
> >>> UDP port 53 responding to queries: YES
> >>> TCP port 53 responding to queries: Not tested
> >>> Answering authoritatively for domain: YES
> >>> SOA record data from server:
> >>> Authoritative name server: server2.domain.dns
> >>> Hostmaster: hostmaster.domain.dns
> >>> Zone serial number: 3
> >>> Zone expires in: 1.00 day(s)
> >>> Refresh period: 900 seconds
> >>> Retry delay: 600 seconds
> >>> Default (minimum) TTL: 3600 seconds
> >>> Additional authoritative (NS) records from server:
> >>> server2.domain.dns Unknown
> >>> server1.domain.dns Unknown
> >>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> >>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> >>> Alias: server1.domain.dns
> >>> Glue: 192.168.1.9
> >>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> >>> Alias: server2.domain.dns
> >>> Glue: 192.168.1.51
> >>> Total number of CNAME records found on this server: 2
> >>> Total number of CNAME records missing on this server: 0
> >>>
> >>> Total number of glue (A) records this server could not find: 0
> >>>
> >>> From Server2:
> >>>
> >>> System Date: Mon Jul 06 07:58:43 2009
> >>>
> >>> Command run:
> >>>
> >>> dnslint /ad /s 192.168.1.51
> >>>
> >>> Root of Active Directory Forest:
> >>>
> >>> domain.dns
> >>>
> >>> Active Directory Forest Replication GUIDs Found:
> >>>
> >>> DC: SERVER1
> >>> GUID: 10054e4e-3786-4858-a745-5a3b299c2326
> >>> DC: SERVER2
> >>> GUID: d963b078-1f27-4154-8436-870d19935efe
> >>> Total GUIDs found: 2
> >>> --------------------------------------------------------------------
> >>> -- ----------
> >>>
> >>> The following 2 DNS servers were checked for records related to AD
> >>> forest replication:
> >>>
> >>> DNS server: server2.domain.dns
> >>> IP Address: 192.168.1.51
> >>> UDP port 53 responding to queries: YES
> >>> TCP port 53 responding to queries: Not tested
> >>> Answering authoritatively for domain: YES
> >>> SOA record data from server:
> >>> Authoritative name server: server2.domain.dns
> >>> Hostmaster: hostmaster.domain.dns
> >>> Zone serial number: 3
> >>> Zone expires in: 1.00 day(s)
> >>> Refresh period: 900 seconds
> >>> Retry delay: 600 seconds
> >>> Default (minimum) TTL: 3600 seconds
> >>> Additional authoritative (NS) records from server:
> >>> server1.domain.dns Unknown
> >>> server2.domain.dns Unknown
> >>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> >>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> >>> Alias: server1.domain.dns
> >>> Glue: 192.168.1.9
> >>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> >>> Alias: server2.domain.dns
> >>> Glue: 192.168.1.51
> >>> Total number of CNAME records found on this server: 2
> >>> Total number of CNAME records missing on this server: 0
> >>>
> >>> Total number of glue (A) records this server could not find: 0
> >>>
> >>> --------------------------------------------------------------------
> >>> -- ----------
> >>>
> >>> DNS server: server1.domain.dns
> >>> IP Address: 192.168.1.9
> >>> UDP port 53 responding to queries: YES
> >>> TCP port 53 responding to queries: Not tested
> >>> Answering authoritatively for domain: YES
> >>> SOA record data from server:
> >>> Authoritative name server: server1.domain.dns
> >>> Hostmaster: hostmaster.domain.dns
> >>> Zone serial number: 3
> >>> Zone expires in: 1.00 day(s)
> >>> Refresh period: 900 seconds
> >>> Retry delay: 600 seconds
> >>> Default (minimum) TTL: 3600 seconds
> >>> Additional authoritative (NS) records from server:
> >>> server2.domain.dns Unknown
> >>> server1.domain.dns Unknown
> >>> Alias (CNAME) and glue (A) records for forest GUIDs from server:
> >>> CNAME: 10054e4e-3786-4858-a745-5a3b299c2326._msdcs.domain.dns
> >>> Alias: server1.domain.dns
> >>> Glue: 192.168.1.9
> >>> CNAME: d963b078-1f27-4154-8436-870d19935efe._msdcs.domain.dns
> >>> Alias: server2.domain.dns
> >>> Glue: 192.168.1.51
> >>> Total number of CNAME records found on this server: 2
> >>> Total number of CNAME records missing on this server: 0
> >>>
> >>> Total number of glue (A) records this server could not find: 0
> >>>
> >>> "Meinolf Weber [MVP-DS]" wrote:
> >>>
> >>>> Hello Haji,
> >>>>
> >>>> Please run:
> >>>> dnslint /ad /s "ip address of your dc"
> >>>> Therefore download and install:
> >>>> http://support.microsoft.com/kb/321045
> >>>> Best regards
> >>>> Meinolf Weber
> >>>> Disclaimer: This posting is provided "AS IS" with no warranties,
> >>>> and
> >>>> confers
> >>>> no rights.
> >>>> ** Please do NOT email, only reply to Newsgroups
> >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>>>> In Active Directory Sites and Services, both Server1 and Server 2
> >>>>> are listed as IP Bridgeheads, and both are GC's.  Both servers
> >>>>> have Active Directory integrated DNS running on them.
> >>>>>
> >>>>> Windows IP Configuration
> >>>>>
> >>>>> Host Hame . . . . . . . . . . . . : server2
> >>>>> Primary Dns Suffix  . . . . . . . : domain.dns
> >>>>> Node Type . . . . . . . . . . . . : Hybrid
> >>>>> IP Routing Enabled. . . . . . . . : No
> >>>>> WINS Proxy Enabled. . . . . . . . : No
> >>>>> DNS Suffix Search List. . . . . . : domain.dns
> >>>>> Ethernet adapter Local Area Connection:
> >>>>> Connection-specific DNS Suffix  . : domain.dns
> >>>>> Description . . . . . . . . . . . : TEAM : Team #0
> >>>>> Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
> >>>>> DHCP Enabled. . . . . . . . . . . : No
> >>>>> Autoconfiguration Enabled . . . . : Yes
> >>>>> IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
> >>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >>>>> Default Gateway . . . . . . . . . : 192.168.1.1
> >>>>> DNS Servers . . . . . . . . . . . : 192.168.1.51
> >>>>> 192.168.1.9
> >>>>> Primary WINS Server . . . . . . . : 192.168.1.9
> >>>>> Secondary WINS Server . . . . . . : 192.168.1.51
> >>>>> NetBIOS over Tcpip. . . . . . . . : Enabled
> >>>>> nltest /server:server2 /dsgetdc:domain.dns
> >>>>> DC: \\server1.domain.dns
> >>>>> Address: \\192.168.1.9
> >>>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> >>>>> Dom Name: domain.dns
> >>>>> Forest Name: domain.dns
> >>>>> Dc Site Name: Default-First-Site-Name
> >>>>> Our Site Name: Default-First-Site-Name
> >>>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
> >>>>> DNS_FOREST
> >>>>> CLOSE_SITE FULL SECRET
> >>>>> Windows IP Configuration
> >>>>> Host Hame . . . . . . . . . . . . : server1
> >>>>> Primary Dns Suffix  . . . . . . . : domain.dns
> >>>>> Node Type . . . . . . . . . . . . : Hybrid
> >>>>> IP Routing Enabled. . . . . . . . : No
> >>>>> WINS Proxy Enabled. . . . . . . . : No
> >>>>> DNS Suffix Search List. . . . . . : domain.dns
> >>>>> Ethernet adapter Local Area Connection:
> >>>>> Connection-specific DNS Suffix  . : domain.dns
> >>>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> >>>>> Connection
> >>>>> Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
> >>>>> DHCP Enabled. . . . . . . . . . . : No
> >>>>> Autoconfiguration Enabled . . . . : Yes
> >>>>> IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
> >>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >>>>> Default Gateway . . . . . . . . . : 192.168.1.1
> >>>>> DNS Servers . . . . . . . . . . . : 192.168.1.9
> >>>>> 192.168.1.51
> >>>>> Primary WINS Server . . . . . . . : 192.168.1.51
> >>>>> Secondary WINS Server . . . . . . : 192.168.1.9
> >>>>> NetBIOS over Tcpip. . . . . . . . : Enabled
> >>>>> nltest /server:server1 /dsgetdc:domain.dns
> >>>>> DC: \\server1.domain.dns
> >>>>> Address: \\192.168.1.9
> >>>>> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> >>>>> Dom Name: domain.dns
> >>>>> Forest Name: domain.dns
> >>>>> Dc Site Name: Default-First-Site-Name
> >>>>> Our Site Name: Default-First-Site-Name
> >>>>> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
> >>>>> DNS_FOREST
> >>>>> CLOSE_SITE FULL SECRET

"Haji" <H***@discussions.microsoft.com> wrote in message
news:50197C4B-1DCC-4AB1-B8B7-DB06D2B5F6A7@microsoft.com...
> In Active Directory Sites and Services, both Server1 and Server 2 are
> listed
> as IP Bridgeheads, and both are GC's.  Both servers have Active Directory
> integrated DNS running on them.
>
> Windows IP Configuration
>
>   Host Hame . . . . . . . . . . . . : server2
>   Primary Dns Suffix  . . . . . . . : domain.dns
>   Node Type . . . . . . . . . . . . : Hybrid
>   IP Routing Enabled. . . . . . . . : No
>   WINS Proxy Enabled. . . . . . . . : No
>   DNS Suffix Search List. . . . . . : domain.dns
>
> Ethernet adapter Local Area Connection:
>
>   Connection-specific DNS Suffix  . : domain.dns
>   Description . . . . . . . . . . . : TEAM : Team #0
>   Physical Address. . . . . . . . . : 00-30-48-B8-96-8D
>   DHCP Enabled. . . . . . . . . . . : No
>   Autoconfiguration Enabled . . . . : Yes
>   IPv4 Address. . . . . . . . . . . : 192.168.1.51(Preferred)
>   Subnet Mask . . . . . . . . . . . : 255.255.255.0
>   Default Gateway . . . . . . . . . : 192.168.1.1
>   DNS Servers . . . . . . . . . . . : 192.168.1.51
>                                              192.168.1.9
>   Primary WINS Server . . . . . . . : 192.168.1.9
>   Secondary WINS Server . . . . . . : 192.168.1.51
>   NetBIOS over Tcpip. . . . . . . . : Enabled
>
> nltest /server:server2 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
>
>
>
> Windows IP Configuration
>
>   Host Hame . . . . . . . . . . . . : server1
>   Primary Dns Suffix  . . . . . . . : domain.dns
>   Node Type . . . . . . . . . . . . : Hybrid
>   IP Routing Enabled. . . . . . . . : No
>   WINS Proxy Enabled. . . . . . . . : No
>   DNS Suffix Search List. . . . . . : domain.dns
>
> Ethernet adapter Local Area Connection:
>
>   Connection-specific DNS Suffix  . : domain.dns
>   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> Connection
>   Physical Address. . . . . . . . . : 00-E0-81-58-2F-98
>   DHCP Enabled. . . . . . . . . . . : No
>   Autoconfiguration Enabled . . . . : Yes
>   IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
>   Subnet Mask . . . . . . . . . . . : 255.255.255.0
>   Default Gateway . . . . . . . . . : 192.168.1.1
>   DNS Servers . . . . . . . . . . . : 192.168.1.9
>                                              192.168.1.51
>   Primary WINS Server . . . . . . . : 192.168.1.51
>   Secondary WINS Server . . . . . . : 192.168.1.9
>   NetBIOS over Tcpip. . . . . . . . : Enabled
>
> nltest /server:server1 /dsgetdc:domain.dns
>
> DC: \\server1.domain.dns
> Address: \\192.168.1.9
> Dom Guid: 2f26d5af-721b-4241-ae44-da0d50023e44
> Dom Name: domain.dns
> Forest Name: domain.dns
> Dc Site Name: Default-First-Site-Name
> Our Site Name: Default-First-Site-Name
> Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
> CLOSE_SITE FULL SECRET
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Sounds to me like you haven't made the new box a GC or not a DNS server.
>>
>> Start by posting both boxes ip configuration details.  From a command
>> prompt
>> on both dc's run the following:
>>
>> ipconfig /all
>>
>> Next from each DC at a command prompt run the following and post:
>> nltest /server:<servername> /dsgetdc:<domainname>
>>
>> Note: Feel free to modify the output, so as not to disclose any valuable
>> information.  Such as changing the the first couple of octets on your ip
>> addresses, but please be consistent (192.168. is a good replacement
>> value).
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Haji" <H***@discussions.microsoft.com> wrote in message
>> news:35A43720-2CE5-4AAE-AB54-CE7FEFB7FCC6@microsoft.com...
>> > I've got a Windows 2008 box that was my only DC in my test network that
>> > is
>> > on
>> > some rather aged hardware.  I've built a new box to replace the old DC
>> > with,
>> > installed Server 2008 on it, added it to the domain, ran dcpromo,
>> > kicked
>> > it
>> > up to a GC, and transfered the FSMO roles over to it.  However, when I
>> > run
>> > dcpromo on the old box that I'm wanting to retire, I get the following
>> > message:
>> >
>> > "You did not indicate that this Active Directory domain controller is
>> > the
>> > last domain controller for the domain test.dns. However, no other
>> > Active
>> > Directory domain controllers for that domain can be contacted."
>> >
>> > I've also noticed that when the old box is powered down, none of my
>> > test
>> > workstations can map a drive to the new server, due to an
>> > authentication
>> > failure.  The ID that the server is logged into is an enterprise admin
>> > ID,
>> > and this is a single domain setup (no child domains in the forrest).
>> > Both
>> > the forrest and the domain are at 2008 functional level.  Each server
>> > has
>> > DNS
>> > installed and is AD Integrated.  Each server points to the other for
>> > DNS
>> > primary, and itself for secondary.
>> >
>> > I'm sure there is more information that is needed that I haven't
>> > provided,
>> > just let me know what you need and I'll post it, but if anyone can help
>> > me
>> > out, I'd really like to learn what this issue is and how to fix it.
>>
>>
>>