I had a client today who was unable to log onto any of his domain controllers as he was recieving the following error:
The system cannot log you on due ot the following error:
The specified domain either does not exist or could not be contacted.
Please try again or consult your systems administrator.
Also users could not get to network shares, print, or even access their email via outlook. Basically their entire domain had fallen over in all locations.
Running a DCDIAG on the domain provided the following output:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Balcatta\ORION2
Starting test: Connectivity
......................... ORION2 passed test Connectivity
Doing primary tests
Testing server: Balcatta\ORION2
Starting test: Replications
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: DC=ForestDnsZones,DC=orion,DC=net,DC=au
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2010-02-22 18:07:01.
The last success occurred at 2010-02-22 15:22:02.
11 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: DC=DomainDnsZones,DC=orion,DC=net,DC=au
The replication generated an error (1256):
Win32 Error 1256
The failure occurred at 2010-02-22 18:07:01.
The last success occurred at 2010-02-22 15:22:02.
11 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: CN=Schema,CN=Configuration,DC=orion,DC=net,DC=au
The replication generated an error (-2146893022):
Win32 Error -2146893022
The failure occurred at 2010-02-22 18:07:02.
The last success occurred at 2010-02-22 15:22:01.
11 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: CN=Configuration,DC=orion,DC=net,DC=au
The replication generated an error (-2146893022):
Win32 Error -2146893022
The failure occurred at 2010-02-22 18:07:02.
The last success occurred at 2010-02-22 15:22:01.
11 failures have occurred since the last success.
[Replications Check,ORION2] A recent replication attempt failed:
From ORIONCH to ORION2
Naming Context: DC=orion,DC=net,DC=au
The replication generated an error (-2146893022):
Win32 Error -2146893022
The failure occurred at 2010-02-22 18:07:01.
The last success occurred at 2010-02-22 15:22:01.
11 failures have occurred since the last success.
......................... ORION2 passed test Replications
Starting test: NCSecDesc
......................... ORION2 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\ORION2\netlogon)
[ORION2] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
......................... ORION2 failed test NetLogons
Starting test: Advertising
Fatal Error:DsGetDcName (ORION2) call failed, error 1355
The Locator could not find the server.
......................... ORION2 failed test Advertising
Starting test: KnowsOfRoleHolders
......................... ORION2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... ORION2 passed test RidManager
Starting test: MachineAccount
......................... ORION2 passed test MachineAccount
Starting test: Services
......................... ORION2 passed test Services
Starting test: ObjectsReplicated
......................... ORION2 passed test ObjectsReplicated
Starting test: frssysvol
......................... ORION2 passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... ORION2 failed test frsevent
Starting test: kccevent
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/22/2010 17:57:48
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/22/2010 17:57:48
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/22/2010 17:57:48
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) was
An Warning Event occured. EventID: 0x8000061E
Time Generated: 02/22/2010 17:57:48
Event String: All domain controllers in the following site that
An Error Event occured. EventID: 0xC000051F
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) has
An Warning Event occured. EventID: 0x80000749
Time Generated: 02/22/2010 17:57:48
Event String: The Knowledge Consistency Checker (KCC) was
......................... ORION2 failed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 02/22/2010 17:13:34
Event String: The kerberos client received a
An Error Event occured. EventID: 0x00000457
Time Generated: 02/22/2010 17:27:34
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 02/22/2010 17:52:02
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 02/22/2010 18:01:00
Event String: The kerberos client received a
......................... ORION2 failed test systemlog
Starting test: VerifyReferences
......................... ORION2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : orion
Starting test: CrossRefValidation
......................... orion passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... orion passed test CheckSDRefDom
Running enterprise tests on : orion.net.au
Starting test: Intersite
......................... orion.net.au passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... orion.net.au failed test FsmoCheck
Also the domain controllers were also generating the following error:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1006
Date: 22/02/2010
Time: 6:01:40 PM
User: NT AUTHORITY\SYSTEM
Computer: ORION2\
Description:
Windows cannot bind to orion.net.au domain. (Local Error). Group Policy processing aborted.
After some research I came across microsoft KB 958804
http://support.microsoft.com/kb/958804
I resolved the problem by:
1. Copy the contents from Ntfrs_Preexisting folder to the %Windows%Sysvol\Sysvol\Domain Name folder.
2. Start Registry Editor. Locate to the following subkey:
HKLM\SYSTEM\CurrentControlSet\Services\Ntfrs\Parameters\Backup/Restore\Process at Startup
3. Set the value of the BurFlags registry entry to D4.
4. Restart the Ntfrs service, and then wait until the Sysvol and the Netlogon folders are shared.
I hope this has been helpful if you find yourself running into the same problem!
Subscribe to:
Post Comments (Atom)
I suppose it about one DC? If that is the case then D4 (D4 = authoritive restore of sysvol) will be ok only if you have proper SYSVOL folder structure and contents.
ReplyDeleteIn a domain with more than one DC using D4 flag is not recommended: you have to stop NTFRS on all the DCs and choose one to be authoritive for the sysvol restore. After the restore you *must* use D2 flag (non authoritive restore).
Behind the scene: when a server that is hosting AD hasn't shared it's SYSVOL it is considered not to be a valid DC i.e. the server do not advertise itself in the domain via LDAP (you get: "The specified domain either does not exist or could not be contacted")
The magic: this state is driven by a simple registry value: HKLM\System\CCS\Services\Netlogon\Parameters\SysvolReady
After FRS restore (D2/D4) this value is set to 1 and the netlogon service responds to LDAP requests (i.e. advertises itself to clients as a valid DC).
You can set this key to 1 manually. Two situations here:
1. you don't have valid SYSVOL contents: the DC can do it's LDAP jobs, but clients cannot obtain GPOs from it
2. you have valid SYSVOL contents: the DC is acting as a valid DC and clients apply GPOs from it. In this case you don't even need to do D2/D4 FRS restore :)
* This is from real case: single domain with 2800 DCs (Win2003) - out of NTFRS limits! We did stop NTFRS, set sysvolready key and distributed SYSVOL with robocopy - worked with a charm!
Clint - excellent blog! Keep it that way!
Thanks heaps for your input petar around this issue.
ReplyDelete