Всем привет! Прошу помощи по AD, создаю новый домен в новом лесу на платформе Windows Server 2012 Std, после перезагрузки все службы выдают: 1355 Указанный домен не существует или к нему невозможно подключиться.
По порядку.
Аппаратная платформа: HP ML350 Gen9 RAID1 2×1Тб.
ОС: Windows Server 2012 (на время экспериментов ознакомительная версия) обновления установлены.
Ошибки в логах:
Лог Directory Service
Имя журнала: Directory Service
Источник: Microsoft-Windows-ActiveDirectory_DomainService
Дата: 10.01.2015 22:26:11
Код события: 1126
Категория задачи:Глобальный каталог
Уровень: Ошибка
Ключевые слова:Классический
Пользователь: АНОНИМНЫЙ ВХОД
Компьютер: DC.NOVPT.local
Описание:
Доменным службам Active Directory не удается подключиться к глобальному каталогу.
Дополнительные данные
Значение ошибки:
1355 Указанный домен не существует или к нему невозможно подключиться.
Внутренний идентификатор:
3200e24
Действие пользователя:
Убедитесь, что глобальный каталог находится в лесу и доступен для контроллера домена. Для диагностики можно использовать программу NLTEST.
Xml события:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
<System>
<Provider Name=»Microsoft-Windows-ActiveDirectory_DomainService» Guid=»{0e8478c5-3605-4e8c-8497-1e730c959516}» EventSourceName=»NTDS General» />
<EventID Qualifiers=»49152″>1126</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime=»2015-01-10T19:26:11.264976000Z» />
<EventRecordID>78</EventRecordID>
<Correlation />
<Execution ProcessID=»572″ ThreadID=»764″ />
<Channel>Directory Service</Channel>
<Computer>DC.NOVPT.local</Computer>
<Security UserID=»S-1-5-7″ />
</System>
<EventData>
<Data>3200e24</Data>
<Data>1355</Data>
<Data>Указанный домен не существует или к нему невозможно подключиться.</Data>
</EventData>
</Event>
—————
Имя журнала: Directory Service
Источник: Microsoft-Windows-ActiveDirectory_DomainService
Дата: 10.01.2015 22:27:38
Код события: 1844
Категория задачи:Разрешение имен
Уровень: Предупреждение
Ключевые слова:Классический
Пользователь: NOVPTАдминистратор
Компьютер: DC.NOVPT.local
Описание:
Локальному контроллеру домена не удается подключиться к следующему контроллеру домена, хранящему следующий раздел каталога, для разрешения различающихся имен.
Контроллер домена:
Раздел каталога:
NOVPT.local
Дополнительные данные
Значение ошибки:
1355 Указанный домен не существует или к нему невозможно подключиться.
Внутренний ID:
3200e24
Xml события:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
<System>
<Provider Name=»Microsoft-Windows-ActiveDirectory_DomainService» Guid=»{0e8478c5-3605-4e8c-8497-1e730c959516}» EventSourceName=»NTDS General» />
<EventID Qualifiers=»32768″>1844</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime=»2015-01-10T19:27:38.317390400Z» />
<EventRecordID>79</EventRecordID>
<Correlation />
<Execution ProcessID=»572″ ThreadID=»1352″ />
<Channel>Directory Service</Channel>
<Computer>DC.NOVPT.local</Computer>
<Security UserID=»S-1-5-21-765395494-3087550675-3061494156-500″ />
</System>
<EventData>
<Data>NOVPT.local</Data>
<Data>1355</Data>
<Data>3200e24</Data>
<Data>Указанный домен не существует или к нему невозможно подключиться.</Data>
<Data>
</Data>
</EventData>
</Event>
===========
Лог DNS
Имя журнала: DNS Server
Источник: Microsoft-Windows-DNS-Server-Service
Дата: 10.01.2015 22:11:27
Код события: 4013
Категория задачи:Отсутствует
Уровень: Предупреждение
Ключевые слова:Классический
Пользователь: Н/Д
Компьютер: DC.NOVPT.local
Описание:
DNS-сервер ожидает от доменных служб Active Directory (AD DS) сигнала о том, что первичная синхронизация каталога завершена. Службу DNS-сервера невозможно запустить до завершения первичной синхронизации, так как критические данные DNS могут
быть еще не реплицированными на этот контроллер домена. Если журнал событий AD DS показывает, что имеются проблемы с разрешением DNS-имен в адреса, рассмотрите возможность добавления IP-адреса другого DNS-сервера
для этого домена в список DNS-серверов в свойствах протокола IP этого компьютера. Такое событие будет записываться в журнал каждые две минуты, пока служба AD DS не сообщит об успешном завершении первичной синхронизации.
Xml события:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
<System>
<Provider Name=»Microsoft-Windows-DNS-Server-Service» Guid=»{71A551F5-C893-4849-886B-B5EC8502641E}» EventSourceName=»DNS» />
<EventID Qualifiers=»32768″>4013</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=»2015-01-10T19:11:27.000000000Z» />
<EventRecordID>30</EventRecordID>
<Correlation />
<Execution ProcessID=»0″ ThreadID=»0″ />
<Channel>DNS Server</Channel>
<Computer>DC.NOVPT.local</Computer>
<Security />
</System>
<EventData Name=»DNS_EVENT_DS_OPEN_WAIT»>
</EventData>
</Event>
————
Имя журнала: DNS Server
Источник: Microsoft-Windows-DNS-Server-Service
Дата: 10.01.2015 22:19:49
Код события: 4512
Категория задачи:Отсутствует
Уровень: Предупреждение
Ключевые слова:Классический
Пользователь: Н/Д
Компьютер: DC.NOVPT.local
Описание:
DNS-сервер не может создать встроенный раздел каталога DomainDnsZones.NOVPT.local. Ошибка 9906.
Xml события:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
<System>
<Provider Name=»Microsoft-Windows-DNS-Server-Service» Guid=»{71A551F5-C893-4849-886B-B5EC8502641E}» EventSourceName=»DNS» />
<EventID Qualifiers=»32768″>4512</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=»2015-01-10T19:19:49.000000000Z» />
<EventRecordID>33</EventRecordID>
<Correlation />
<Execution ProcessID=»0″ ThreadID=»0″ />
<Channel>DNS Server</Channel>
<Computer>DC.NOVPT.local</Computer>
<Security />
</System>
<EventData Name=»DNS_EVENT_DP_CANT_CREATE_BUILTIN»>
<Data Name=»param1″>DomainDnsZones.NOVPT.local</Data>
<Data Name=»param2″>9906</Data>
<Binary>B2260000</Binary>
</EventData>
</Event>
————-
Имя журнала: DNS Server
Источник: Microsoft-Windows-DNS-Server-Service
Дата: 10.01.2015 22:19:49
Код события: 4512
Категория задачи:Отсутствует
Уровень: Предупреждение
Ключевые слова:Классический
Пользователь: Н/Д
Компьютер: DC.NOVPT.local
Описание:
DNS-сервер не может создать встроенный раздел каталога ForestDnsZones.NOVPT.local. Ошибка 9906.
Xml события:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
<System>
<Provider Name=»Microsoft-Windows-DNS-Server-Service» Guid=»{71A551F5-C893-4849-886B-B5EC8502641E}» EventSourceName=»DNS» />
<EventID Qualifiers=»32768″>4512</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=»2015-01-10T19:19:49.000000000Z» />
<EventRecordID>34</EventRecordID>
<Correlation />
<Execution ProcessID=»0″ ThreadID=»0″ />
<Channel>DNS Server</Channel>
<Computer>DC.NOVPT.local</Computer>
<Security />
</System>
<EventData Name=»DNS_EVENT_DP_CANT_CREATE_BUILTIN»>
<Data Name=»param1″>ForestDnsZones.NOVPT.local</Data>
<Data Name=»param2″>9906</Data>
<Binary>B2260000</Binary>
</EventData>
</Event>
————
Имя журнала: DNS Server
Источник: Microsoft-Windows-DNS-Server-Service
Дата: 10.01.2015 22:40:21
Код события: 4015
Категория задачи:Отсутствует
Уровень: Ошибка
Ключевые слова:Классический
Пользователь: Н/Д
Компьютер: DC.NOVPT.local
Описание:
DNS-сервер обнаружил критическую ошибку Active Directory. Проверьте работоспособность Active Directory. Дополнительная отладочная информация об ошибке: «00002189: SvcErr: DSID-03200E24, problem 5002 (UNAVAILABLE), data 1355» (может отсутствовать).
Данные о событии содержат сведения об ошибке.
Xml события:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
<System>
<Provider Name=»Microsoft-Windows-DNS-Server-Service» Guid=»{71A551F5-C893-4849-886B-B5EC8502641E}» EventSourceName=»DNS» />
<EventID Qualifiers=»49152″>4015</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=»2015-01-10T19:40:21.000000000Z» />
<EventRecordID>35</EventRecordID>
<Correlation />
<Execution ProcessID=»0″ ThreadID=»0″ />
<Channel>DNS Server</Channel>
<Computer>DC.NOVPT.local</Computer>
<Security />
</System>
<EventData Name=»DNS_EVENT_DS_INTERFACE_ERROR»>
<Data Name=»param1″>00002189: SvcErr: DSID-03200E24, problem 5002 (UNAVAILABLE), data 1355</Data>
<Binary>34000000</Binary>
</EventData>
</Event>
==================
Лог Репликация DFS
Имя журнала: DFS Replication
Источник: DFSR
Дата: 10.01.2015 22:54:16
Код события: 6016
Категория задачи:Отсутствует
Уровень: Предупреждение
Ключевые слова:Классический
Пользователь: Н/Д
Компьютер: DC.NOVPT.local
Описание:
Службе репликации DFS не удалось обновить конфигурацию в доменных службах Active Directory. Служба периодически будет пытаться повторить эту операцию.
Дополнительные сведения:
Категория объекта: msDFSR-LocalSettings
DN объекта: CN=DFSR-LocalSettings,CN=DC,OU=Domain Controllers,DC=NOVPT,DC=local
Ошибка: 1355 (Указанный домен не существует или к нему невозможно подключиться.)
Контроллер домена:
Цикл опроса: 60
Xml события:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
<System>
<Provider Name=»DFSR» />
<EventID Qualifiers=»32768″>6016</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=»2015-01-10T19:54:16.000000000Z» />
<EventRecordID>63</EventRecordID>
<Channel>DFS Replication</Channel>
<Computer>DC.NOVPT.local</Computer>
<Security />
</System>
<EventData>
<Data>msDFSR-LocalSettings</Data>
<Data>CN=DFSR-LocalSettings,CN=DC,OU=Domain Controllers,DC=NOVPT,DC=local</Data>
<Data>1355</Data>
<Data>Указанный домен не существует или к нему невозможно подключиться.</Data>
<Data>
</Data>
<Data>60</Data>
</EventData>
</Event>
=================
В результате вывод команды dcdiag выглядит так:
Диагностика сервера каталогов
Выполнение начальной настройки:
Выполняется попытка поиска основного сервера…
Основной сервер = DC
* Определен лес AD.
Сбор начальных данных завершен.
Выполнение обязательных начальных проверок
Сервер проверки: Default-First-Site-NameDC
Запуск проверки: Connectivity
……………………. DC — пройдена проверка Connectivity
Выполнение основных проверок
Сервер проверки: Default-First-Site-NameDC
Запуск проверки: Advertising
Неустранимая ошибка: сбой при вызове DsGetDcName (DC), ошибка 1355
Локатору не удается найти сервер.
……………………. DC — не пройдена проверка Advertising
Запуск проверки: FrsEvent
……………………. DC — пройдена проверка FrsEvent
Запуск проверки: DFSREvent
За последние 24 часа после предоставления SYSVOL в общий доступ зафиксированы предупреждения или сообщения об
ошибках. Сбои при репликации SYSVOL могут стать причиной проблем групповой политики.
……………………. DC — не пройдена проверка DFSREvent
Запуск проверки: SysVolCheck
……………………. DC — пройдена проверка SysVolCheck
Запуск проверки: KccEvent
……………………. DC — пройдена проверка KccEvent
Запуск проверки: KnowsOfRoleHolders
……………………. DC — пройдена проверка KnowsOfRoleHolders
Запуск проверки: MachineAccount
……………………. DC — пройдена проверка MachineAccount
Запуск проверки: NCSecDesc
……………………. DC — пройдена проверка NCSecDesc
Запуск проверки: NetLogons
Не удается подключиться к общему ресурсу NETLOGON. (\DCnetlogon)
[DC] Сбой операции net use или LsaPolicy с ошибкой 67, Не найдено сетевое имя..
……………………. DC — не пройдена проверка NetLogons
Запуск проверки: ObjectsReplicated
……………………. DC — пройдена проверка ObjectsReplicated
Запуск проверки: Replications
……………………. DC — пройдена проверка Replications
Запуск проверки: RidManager
……………………. DC — пройдена проверка RidManager
Запуск проверки: Services
……………………. DC — пройдена проверка Services
Запуск проверки: SystemLog
Возникло предупреждение. Код события (EventID): 0x000003F6
Время создания: 01/10/2015 22:18:23
Строка события:
Разрешение имен для имени _ldap._tcp.NOVPT. истекло после отсутствия ответа от настроенных серверов DNS.
Возникла ошибка. Код события (EventID): 0x00000423
Время создания: 01/10/2015 23:11:41
Строка события: Служба DHCP не смогла обнаружить папку для авторизации сервера.
Возникла ошибка. Код события (EventID): 0xC00038D6
Время создания: 01/10/2015 23:14:19
Строка события:
Службе пространства имен не удалось инициализировать сведения о доверительных отношениях между лесами на это
м контроллере домена; она будет периодически повторять выполнение операции. Код возврата находится в данных.
……………………. DC — не пройдена проверка SystemLog
Запуск проверки: VerifyReferences
……………………. DC — пройдена проверка VerifyReferences
Выполнение проверок разделов на: Schema
Запуск проверки: CheckSDRefDom
……………………. Schema — пройдена проверка CheckSDRefDom
Запуск проверки: CrossRefValidation
……………………. Schema — пройдена проверка CrossRefValidation
Выполнение проверок разделов на: Configuration
Запуск проверки: CheckSDRefDom
……………………. Configuration — пройдена проверка CheckSDRefDom
Запуск проверки: CrossRefValidation
……………………. Configuration — пройдена проверка CrossRefValidation
Выполнение проверок разделов на: NOVPT
Запуск проверки: CheckSDRefDom
……………………. NOVPT — пройдена проверка CheckSDRefDom
Запуск проверки: CrossRefValidation
……………………. NOVPT — пройдена проверка CrossRefValidation
Выполнение проверок предприятия на: NOVPT.local
Запуск проверки: LocatorCheck
Внимание! Сбой при вызове функции DcGetDcName(GC_SERVER_REQUIRED), ошибка 1355
Не удается найти сервер глобального каталога — все глобальные каталоги отключены.
Внимание! Сбой при вызове функции DcGetDcName(TIME_SERVER), ошибка 1355
Не удается найти сервер времени.
Сервер, которому принадлежит роль PDC, отключен.
Внимание! Сбой при вызове функции DcGetDcName(GOOD_TIME_SERVER_PREFERRED), ошибка 1355
Не удается найти сервер точного времени.
Внимание! Сбой при вызове функции DcGetDcName(KDC_REQUIRED), ошибка 1355
Не удается найти центр распространения ключей (KDC) — все KDC отключены.
……………………. NOVPT.local — не пройдена проверка LocatorCheck
Запуск проверки: Intersite
……………………. NOVPT.local — пройдена проверка Intersite
==================
nslookup
> PS C:UsersАдминистратор> nslookup novpt.local
╤хЁтхЁ: UnKnown
Address: 192.168.1.1
╚ь : novpt.local
Address: 192.168.1.1
=======
Вывод команды Ipconfig /all
C:UsersАдминистратор>Ipconfig /all
Настройка протокола IP для Windows
Имя компьютера . . . . . . . . . : DC
Основной DNS-суффикс . . . . . . : NOVPT.local
Тип узла. . . . . . . . . . . . . : Гибридный
IP-маршрутизация включена . . . . : Нет
WINS-прокси включен . . . . . . . : Нет
Порядок просмотра суффиксов DNS . : NOVPT.local
Ethernet adapter Embedded LOM 1 Port 1:
DNS-суффикс подключения . . . . . :
Описание. . . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
Физический адрес. . . . . . . . . : FC-15-B4-84-44-52
DHCP включен. . . . . . . . . . . : Нет
Автонастройка включена. . . . . . : Да
IPv4-адрес. . . . . . . . . . . . : 192.168.1.1(Основной)
Маска подсети . . . . . . . . . . : 255.255.255.0
Основной шлюз. . . . . . . . . : 192.168.1.3
DNS-серверы. . . . . . . . . . . : 192.168.1.1
NetBios через TCP/IP. . . . . . . . : Включен
На форуме встречал идентичную ситуацию, описывалась проблема с DFS, рекомендации помеченные в качестве ответа выполнить команду PS: (Get-WmiObject -Namespace «RootMicrosoftDFS» -Class DfsrVolumeConfig).ResumeReplication()
Вот мой результат выполнения:
PS C:UsersАдминистратор> (Get-WmiObject -Namespace «RootMicrosoftDFS» -Class DfsrVolumeConfig).ResumeReplication()
Невозможно вызвать метод для выражения со значением NULL.
строка:1 знак:1
+ (Get-WmiObject -Namespace «RootMicrosoftDFS» -Class DfsrVolumeConfig).ResumeRep …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Очень прошу помощи в решении сложившейся проблемы. Заранее благодарен.
База знаний —
Windows Server
На ошибку мы вышли следующим образом:
- В домен ввели новый сервер и сделали его контроллером домена
- Перенесли на него все роли и сделали сервером глобальных каталогов
- Старый сервер роли нормально не отдал
- Новый сервер не считает себя работающим контроллером домена
Диагностика
dcdiag дает : Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
netdiag дает:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
В оснастке «Пользователи и компьютеры» вызываем информацию о хозяине ролей на старом сервере и видим надпись Error.
Что произошло: от старого конролера домена не прошла нормально синхронизация.
Лечение
Выполняем следующие команды:
net stop ntfrs
rd /s /q c:winntntfrsjet
net start ntfrs
После этого выполняем dcdiag и netdiag. Все тесты должны быть выполнены без ошибок.
Hi,
Please help clarify the current problems. Is it logon issue or the Group Policy applying issue on XP?
Please check the following support articles first:
Event ID 1054 is logged in the Application log in Windows Server 2003 or in Windows XP Professional
http://support.microsoft.com/kb/324174
You may receive event ID 5807 on a Windows Server 2003-based domain controller
http://support.microsoft.com/kb/889031#top
If the issue persists, please help gather the following files for research.
Please collect the following files on BKRBR0223DC110:
dcdiag /v >c:dcdiag.txt
netdiag /v >c:netdiag.txt
ipconfig /all > c:ipconfig.txt
Please also run the following command on one problematic XP client:
ipconfig /all > c:ipconfig.txt
Upload these file to the following workspace.
————————————————————
You can upload the information files to the following link. (Please choose «Send Files to Microsoft»)
Workspace URL: (https://sftus.one.microsoft.com/choosetransfer.aspx?key=1bca2fae-7a43-4768-819b-384843894790)
Password: Y)3Q!C4Vfe
Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken.
Please be sure to include all text between ‘(‘ and ‘)’ when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after
you have uploaded the files. Thank you for your understanding.
Thanks.
Nina
This posting is provided «AS IS» with no warranties, and confers no rights.
-
Marked as answer by
Nina Liu — MSFT
Thursday, November 25, 2010 2:04 PM
EDIT: This problem was resolved by following the information found at this link:
https://support.microsoft.com/en-us/help/947022/the-netlogon-share-is-not-present-after-you-install-active-directory-d
Essentially, NETLOGON/SYSVOL were not being shared, by following the directions above the issue was resolved.
Thanks joeqwerty for your replies.
I’m two days into this problem on a 2012 Server install. Previous server had crashed, 2012 software reinstalled, all patches applied. Active Directory is non-functional after promoting to DC (this is the sole DC in a new Forest). DNS seems to be functioning correct.
I believe this entire problem relates to the following error message received while installing AD:
«The DNS Server was unable to create the built-in directory partition
ForestDnsZones.CLINIC.LAN. The error was 9906.»
But it may just be another symptom.
DCDIAG information is below, but the first failure, error 1355, has me stuck.
nltest /DsGetDc:clinic.lan
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
This domain is now named «CLINIC» whereas before it was named «MEDICAL». This was done intentionally to avoid a conflict when workstations were added. Also, the Windows install was done from a Dell «Recover» operation, where it essentially stuck all the old stuff in a directory «Windows.old» and just created a new version of Windows beside it.
I’ve been through this process twice with no difference in the outcome.
Getting pretty desperate as users are down.
I will greatly appreciate any suggestions that might lead me to an approach to solving this problem. Have read just about everything I can find online to no avail.
NSLOOKUP CLINIC.LAN returns:
Server: UnKnown
Address: 10.1.10.200
Name: clinic.lan
Address: 10.1.10.200
This is the correct IP Address but I don’t know what to make of the reply.
Thanks, again for any help anyone can provide. The entire DCDIAG is listed below.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server…
Home Server = WINSERV
- Identified AD Forest. Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-NameWINSERV Starting test: Connectivity ......................... WINSERV passed test ConnectivityDoing primary tests
Testing server: Default-First-Site-NameWINSERV Starting test: Advertising Fatal Error:DsGetDcName (WINSERV) call failed, error 1355 The Locator could not find the server. ......................... WINSERV failed test Advertising Starting test: FrsEvent ......................... WINSERV passed test FrsEvent Starting test: DFSREvent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. ......................... WINSERV failed test DFSREvent Starting test: SysVolCheck ......................... WINSERV passed test SysVolCheck Starting test: KccEvent ......................... WINSERV passed test KccEvent Starting test: KnowsOfRoleHolders ......................... WINSERV passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... WINSERV passed test MachineAccount Starting test: NCSecDesc ......................... WINSERV passed test NCSecDesc Starting test: NetLogons Unable to connect to the NETLOGON share! (\WINSERVnetlogon) [WINSERV] An net use or LsaPolicy operation failed with error 67, The network name cannot be found.. ......................... WINSERV failed test NetLogons Starting test: ObjectsReplicated ......................... WINSERV passed test ObjectsReplicated Starting test: Replications ......................... WINSERV passed test Replications Starting test: RidManager ......................... WINSERV passed test RidManager Starting test: Services ......................... WINSERV passed test Services Starting test: SystemLog A warning event occurred. EventID: 0x00001695 Time Generated: 09/09/2019 10:24:34 Event String: Dynamic registration or deletion of one or more DNS records associated with DNS domain 'MEDICAL.LAN.' failed. Theserecords are used by other computers to locate this server as a domain
controller (if the specified domain is an Active Directory domain) or
as an LDAP server (if the specified domain is an application
partition).An error event occurred. EventID: 0xC00038D6 Time Generated: 09/09/2019 10:49:13 Event String: The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it willperiodically retry the operation. The return code is in the record
data.......................... WINSERV failed test SystemLog Starting test: VerifyReferences ......................... WINSERV passed test VerifyReferences Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : CLINIC Starting test: CheckSDRefDom ......................... CLINIC passed test CheckSDRefDom Starting test: CrossRefValidation ......................... CLINIC passed test CrossRefValidation Running enterprise tests on : CLINIC.LAN Starting test: LocatorCheck Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 A Global Catalog Server could not be located - All GC's are down. Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355 A KDC could not be located - All the KDCs are down. ......................... CLINIC.LAN failed test LocatorCheck Starting test: Intersite ......................... CLINIC.LAN passed test Intersite
I am in the process of migrating our ADDS to a test environment.
The steps were as such:
- Install Win2008R2; dcpromo.exe to DC
- Isolate DC (separate network)
- Create DNS server with A records & Update rights for domain + domaincontroller
- Ran ipconfig /flushdns + ipconfig /registerdns
- Confirmed _msdcs entries in DNS server
- Reseize FMSO roles on DC
- Performed metadata cleanup
Environment:
- Windows 2008 R2 with ADDS Roles
- DNS Server (separate machine)
Symptoms:
-
Best Practices Analyzer fails with 23 warnings, all related to:
«This domain controller must register its correct IP addresses with the DNS server» - Event ID: 1126 — Active Directory Domain Services was unable to establish a connection with the global catalog
-
nltest /dsgetdc:domainname
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN -
nltest /server:lefdc /sc_query:domainname
I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE - dcdiag /test:dns reports — OK
-
dcdiag /fix — reports:
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located — All GC’s are down.
Full logs provided below:
servername : LEFDC1
Text
PS C:Windowssystem32> nslookup
Default Server: testdns.my.domain.name
Address: 10.140.1.10
> set type=all
> _ldap._tcp.dc._msdcs.my.domain.name
Server: testdns.my.domain.name
Address: 10.140.1.10
_ldap._tcp.dc._msdcs.my.domain.name SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = lefdc1.my.domain.name
my.domain.name nameserver = testdns.my.domain.name
lefdc1.my.domain.name internet address = 10.140.1.15
testdns.my.domain.name internet address = 10.140.1.10
PS C:Windowssystem32> nltest /server:lefdc /sc_query:my.domain.name
I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE
PS C:Windowssystem32> dcdiag /test:dns /v /e /f:c:dcdiag.log
PS C:Windowssystem32> nltest /dsgetdc:my.domain.name
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
PS C:Windowssystem32> ntdsutil
C:Windowssystem32ntdsutil.exe: roles
fsmo maintenance: connection
server connections: connect to server lefdc1.my.domain.name
Binding to lefdc1.my.domain.name ...
Connected to lefdc1.my.domain.name using credentials of locally logged on user.
server connections: quit
fsmo maintenance: seize pdc
Attempting safe transfer of PDC FSMO before seizure.
FSMO transferred successfully - seizure not required.
Server "lefdc1.my.domain.name" knows about 5 roles
Schema - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,DC=
edu
Naming Master - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,DC=simm
ons,dc=name
PDC - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
RID - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
Infrastructure - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,DC=sim
mons,dc=name
fsmo maintenance:
PS C:Windowssystem32> dcdiag /fix
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = lefdc1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-NameLEFDC1
Starting test: Connectivity
......................... LEFDC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-NameLEFDC1
Starting test: Advertising
Fatal Error:DsGetDcName (LEFDC1) call failed, error 1355
The Locator could not find the server.
......................... LEFDC1 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... LEFDC1 passed test FrsEvent
Starting test: DFSREvent
......................... LEFDC1 passed test DFSREvent
Starting test: SysVolCheck
......................... LEFDC1 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000B46
Time Generated: 10/07/2013 09:14:11
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL
(Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple
binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds,
configuring the server to reject them will improve the security of this server.
......................... LEFDC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... LEFDC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... LEFDC1 passed test MachineAccount
Starting test: NCSecDesc
......................... LEFDC1 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\LEFDC1netlogon)
[LEFDC1] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... LEFDC1 failed test NetLogons
Starting test: ObjectsReplicated
......................... LEFDC1 passed test ObjectsReplicated
Starting test: Replications
......................... LEFDC1 passed test Replications
Starting test: RidManager
......................... LEFDC1 passed test RidManager
Starting test: Services
......................... LEFDC1 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x0000A001
Time Generated: 10/07/2013 08:47:14
Event String:
The Security System could not establish a secured connection with the server ldap/my.domain.name/ad.simmons.
edu@my.domain.name. No authentication protocol was available.
An error event occurred. EventID: 0xC00038D6
Time Generated: 10/07/2013 08:50:24
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but
it will periodically retry the operation. The return code is in the record data.
A warning event occurred. EventID: 0x000016AA
Time Generated: 10/07/2013 08:59:19
Event String:
None of the IP addresses (10.140.1.15) of this Domain Controller map to the configured site 'Default-First-S
ite-Name'. While this may be a temporary situation due to IP address changes, it is generally recommended that the IP ad
dress of the Domain Controller (accessible to machines in its domain) maps to the Site which it services. If the above l
ist of IP addresses is stable, consider moving this server to a site (or create one if it does not already exist) such t
hat the above IP address maps to the selected site. This may require the creation of a new subnet object (whose range in
cludes the above IP address) which maps to the selected site object.
A warning event occurred. EventID: 0x000003F6
Time Generated: 10/07/2013 09:08:02
Event String:
Name resolution for the name www.microsoft.com timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC0002719
Time Generated: 10/07/2013 09:08:23
Event String:
DCOM was unable to communicate with the computer 10.140.1.10 using any of the configured protocols.
A warning event occurred. EventID: 0x8000001D
Time Generated: 10/07/2013 09:14:27
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KD
C certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
A warning event occurred. EventID: 0x000016AA
Time Generated: 10/07/2013 09:14:31
Event String:
None of the IP addresses (10.140.1.15) of this Domain Controller map to the configured site 'Default-First-S
ite-Name'. While this may be a temporary situation due to IP address changes, it is generally recommended that the IP ad
dress of the Domain Controller (accessible to machines in its domain) maps to the Site which it services. If the above l
ist of IP addresses is stable, consider moving this server to a site (or create one if it does not already exist) such t
hat the above IP address maps to the selected site. This may require the creation of a new subnet object (whose range in
cludes the above IP address) which maps to the selected site object.
......................... LEFDC1 failed test SystemLog
Starting test: VerifyReferences
......................... LEFDC1 passed test VerifyReferences
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ad
Starting test: CheckSDRefDom
......................... ad passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ad passed test CrossRefValidation
Running enterprise tests on : my.domain.name
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... my.domain.name failed test LocatorCheck
Starting test: Intersite
......................... my.domain.name passed test Intersite
PS C:Windowssystem32>
PS C:Windowssystem32> ntdsutil
C:Windowssystem32ntdsutil.exe: metadata cleanup
metadata cleanup: connections
server connections: connect to server lefdc1
Binding to lefdc1 ...
Connected to lefdc1 using credentials of locally logged on user.
server connections: q
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - dc=my,dc=domain,dc=name
select operation target: select domain 0
No current site
Domain - dc=my,dc=domain,dc=name
No current server
No current Naming Context
select operation target: list sites
Found 2 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
1 - CN=SchoolofManagement,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
select operation target: select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
Domain - dc=my,dc=domain,dc=name
No current server
No current Naming Context
Output from dcdiag /testdns:
Text
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine lefdc1, is a Directory Server.
Home Server = lefdc1
* Connecting to directory service on server lefdc1.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=SchoolofManagement,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-NameLEFDC1
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... LEFDC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-NameLEFDC1
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... LEFDC1 passed test DNS
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : ad
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : my.domain.name
Starting test: DNS
Test results for domain controllers:
DC: lefdc1.my.domain.name
Domain: my.domain.name
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS Microsoft Windows Server 2008 R2 Enterprise (Service Pack level: 1.0) is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is not a DNS server
Network adapters information:
Adapter [00000007] Broadcom NetXtreme 57xx Gigabit Controller:
MAC address is 00:19:B9:30:85:DF
IP address: 10.140.1.15
DNS servers:
10.140.1.10 (<name unavailable>) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
TEST: Records registration (RReg)
Network Adapter [00000007] Broadcom NetXtreme 57xx Gigabit Controller:
Matching CNAME record found at DNS server 10.140.1.10:
228de4e0-d8f0-447c-aad3-9c07ca7dd6c8._msdcs.my.domain.name
Matching A record found at DNS server 10.140.1.10:
lefdc1.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_ldap._tcp.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_ldap._tcp.a7ed6b46-86fe-471c-9a41-9fddd53d2e4c.domains._msdcs.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_kerberos._tcp.dc._msdcs.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_ldap._tcp.dc._msdcs.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_kerberos._tcp.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_kerberos._udp.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_kpasswd._tcp.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_ldap._tcp.Default-First-Site-Name._sites.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_kerberos._tcp.Default-First-Site-Name._sites.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_ldap._tcp.gc._msdcs.my.domain.name
Matching A record found at DNS server 10.140.1.10:
gc._msdcs.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_gc._tcp.Default-First-Site-Name._sites.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.name
Matching SRV record found at DNS server 10.140.1.10:
_ldap._tcp.pdc._msdcs.my.domain.name
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 10.140.1.10 (<name unavailable>)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: my.domain.name
lefdc1 PASS PASS n/a n/a n/a PASS n/a
......................... my.domain.name passed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
Output from dcdiag /q
Text
Fatal Error:DsGetDcName (LEFDC1) call failed, error 1355
The Locator could not find the server.
......................... LEFDC1 failed test Advertising
Unable to connect to the NETLOGON share! (\LEFDC1netlogon)
[LEFDC1] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... LEFDC1 failed test NetLogons
An error event occurred. EventID: 0xC00038D6
Time Generated: 10/07/2013 08:50:24
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
An error event occurred. EventID: 0xC0002719
Time Generated: 10/07/2013 09:08:23
Event String:
DCOM was unable to communicate with the computer 10.140.1.10 using any of the configured protocols.
......................... LEFDC1 failed test SystemLog
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... my.domain.name failed test LocatorCheck
Read these next…
Snap! — Chatbot Apology, Jurassic Park Revisited, Next Level Self Driving Cars
Spiceworks Originals
Your daily dose of tech news, in brief.
Welcome to the Snap!
Flashback: June 9, 1993: The motion picture Jurassic Park premieres (Read more HERE.)
Bonus Flashback: June 9, 1970: Soyuz 9 Day 9 — Cosmonauts activity level declines, hinting…
Looking for ways to store passwords for end users
Security
Hi All, I am looking for best practices when it comes to keeping passwords stored. What does the majority use? I saw on a older thread 1password was the way to go. Are there any other applications that are free? Asking due to many attempts of users gettin…
Had a little fun with BingChat at Lunch today.
Software
I was playing with image generation… here are a few I like.Suzanne (Spiceworks) got me started with the image for today’s Snap! and so the reason for the ghost themed images.feel free to create and post some of your own…
Spark! Pro Series : June 9th 2023
Spiceworks Originals
I love to ride in cars. Some of my earliest memories at
sitting in the back seat of our 68 Mercury while my dad drove down some old dirt
back roads, the kind with some gentle rises that would almost make you feel
a…
Remote Desktop/SSH Management
Software
Hello All:I’m building a mini PC to be a video encoder using Ubuntu 22.04 or whatever the latest version to do live streaming to Youtube for my car racing event. The PC will be installed inside the race car running off a 12v to 19v converter and I will ha…
