Windows Server 2003 Standard Ed, Problem After DCPromo as a Secondary DC for Existing Domain - Not Replicating, and not Fully Recognized as a DC

Hello, and boy have I got a mess! I am hoping not needing to demote our DC2 to go back as member server then promoting it back up again, but following is the situation.

We have an integrated active directory network with one DC (DC1) running W2k3 Enterprise, x64, SP2, being the primary domain controller. We did have two DC's, however, DC2 became corrupted. We ended up needing to seize the roles away from it, and then we corrected AD in our domain's (PDC) DC1. Effectively, we had to force DC2 down, as AD would not allow to have removed gracefully from the network, or from itself.

All running fine after removed second DC's roles and DC2 from network.

Our forest / domain level is 2000 native, Schema version 30 (We have a W2k server running on site).

Once re-installed W2k3 to the old DC(2) Server, we updated it to SP2, with all patches, then joined it to the Domain as a member server. We then DCPromo'd DC2, and we saw errors as we thought we would, but also past the first 2 hours, and continued to see errors on the newly raised DC through now, as what you will see below past my test results. Currently, it is as if DC2 is not a fully recognized secondary domain controller.

Some other facts:

When I open Explore and type in “\\domain (dot) com \ sysvol” , from either DC1 or DC2, then right click on domain properties, the DFS active partition path is DC1 ( \\ DC1 (dot) DomainName (dot) com \ Sysvol )

Under Explorer, I see the following under “\\ Domain (dot) com \ Sysvol”:

\\domain.com\SysVol

\\domain.com\SysVol\domain.com

\\domain.com\SysVol\domain.com\Policies (...Has all 7 policies)

\\domain.com\SysVol\sysvol

\\domain.com\SysVol\sysvol\domain.com

\\domain.com\SysVol\sysvol\domain.com\Policies (...Has 2 policies)

I also ran the NetDom Query FSMO Role holder for the domain, and both show DC1 having all 5 roles, however, on both the DC’s they do not recognize DC2 as any FSMO role holder.

Following are some test results ran against our DC1 & Promoted DC2:

---------------------------------

NetDom fsmo query on DC1

---------------------------------

Schema owner                DC1.domain.com

Domain role owner           DC1.domain.com

PDC role                    DC1.domain.com

RID pool manager            DC1.domain.com

Infrastructure owner        DC1.domain.com

---------------------------------

NetDom fsmo query on DC2

---------------------------------

Schema owner                DC1.domain.com

Domain role owner           DC1.domain.com

PDC role                    DC1.domain.com

RID pool manager            DC1.domain.com

Infrastructure owner        DC1.domain.com

---------------------------------

NetDiag (on DC1 – The Primary DC Server)

---------------------------------

All tests passed, except the following:

DNS Test failed:

DNS test . . . . . . . . . . . . . : Failed

    [FATAL] Could not open file C:\WINDOWS\system32\config\netlogon.dns for reading.

    [FATAL] Could not open file C:\WINDOWS\system32\config\netlogon.dns for reading.

    [FATAL] No DNS servers have the DNS records for this DC registered.

Redir and Browser test . . . . . . : Failed

    List of NetBt transports currently bound to the Redir

        NetBT_Tcpip_{12341234-5678-1234-1234-123456789012}

    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser

        NetBT_Tcpip_{12341234-5678-1234-1234-123456789012}

    The browser is bound to 1 NetBt transport.

    [FATAL] Cannot send mailslot message to 'DOMAIN*' via browser. [ERROR_INVALID_FUNCTION]

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Failed

    [FATAL] Cannot lookup package Kerberos.

    The error occurred was: (null)

NOTE: Interesting thing I see here is under Redir and Browser test, “Cannot sent mailslot to “DOMAIN*”...”

A Star? Wildcard?

---------------------------------

Ran Test - NetDiag (on DC2)

---------------------------------

    Computer Name: DC2

    DNS Host Name: DC2.domain.com

    System info : Microsoft Windows Server 2003 (Build 3790)

    Processor : x86 Family 15 Model 4 Stepping 3, GenuineIntel

    List of installed hotfixes :

        KB333333

        Q121212

Netcard queries test . . . . . . . : Passed

Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : DC2

        IP Address . . . . . . . . : 192.168.1.6

        Subnet Mask. . . . . . . . : 255.255.255.0

        Default Gateway. . . . . . : 192.168.1.1

        Dns Servers. . . . . . . . : 192.168.1.2

                                     192.168.1.6

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed

        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger

Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped

            There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed

    List of NetBt transports currently configured:

        NetBT_Tcpip_{TCPIP234-5678-1234-1234-123456789012}

    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

    [WARNING] You don't have a single interface with the <00> 'WorkStation

Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed

    PASS - All the DNS entries for DC are registered on DNS server '192.168.1.2'

and other DCs also have some of the names registered.

    PASS - All the DNS entries for DC are registered on DNS server '192.168.1.6'

and other DCs also have some of the names registered.

Redir and Browser test . . . . . . : Passed

    List of NetBt transports currently bound to the Redir

        NetBT_Tcpip_{TCPIP234-5678-1234-1234-123456789012}

    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser

        NetBT_Tcpip_{TCPIP234-5678-1234-1234-123456789012}

    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Passed

    Secure channel for domain 'DOMAIN' is to '\\DC1.domain.com'.

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped

    No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

---------------------------------

RepAdmin test against DC1:

---------------------------------

repadmin running command /bind against server localhost

Bind to localhost succeeded.

Extensions supported:

    BASE                             : Yes

    ASYNCREPL                        : Yes

    REMOVEAPI                        : Yes

    MOVEREQ_V2                       : Yes

    GETCHG_COMPRESS                  : Yes

    DCINFO_V1                        : Yes

    RESTORE_USN_OPTIMIZATION         : Yes

    KCC_EXECUTE                      : Yes

    ADDENTRY_V2                      : Yes

    LINKED_VALUE_REPLICATION         : No

    DCINFO_V2                        : Yes

    INSTANCE_TYPE_NOT_REQ_ON_MOD     : Yes

    CRYPTO_BIND                      : Yes

    GET_REPL_INFO                    : Yes

    STRONG_ENCRYPTION                : Yes

    DCINFO_VFFFFFFFF                 : Yes

    TRANSITIVE_MEMBERSHIP            : Yes

    ADD_SID_HISTORY                  : Yes

    POST_BETA3                       : Yes

    GET_MEMBERSHIPS2                 : Yes

    GETCHGREQ_V6 (WHISTLER PREVIEW)  : Yes

    NONDOMAIN_NCS                    : Yes

    GETCHGREQ_V8 (WHISTLER BETA 1)   : Yes

    GETCHGREPLY_V5 (WHISTLER BETA 2) : Yes

    GETCHGREPLY_V6 (WHISTLER BETA 2) : Yes

    ADDENTRYREPLY_V3 (WHISTLER BETA 3): Yes

    GETCHGREPLY_V7 (WHISTLER BETA 3) : Yes

    VERIFY_OBJECT (WHISTLER BETA 3)  : Yes

    XPRESS_COMPRESSION               : Yes

Repl epoch: 0

---------------------------------

RepAdmin test against DC2:

---------------------------------

repadmin running command /bind against server localhost

Bind to localhost succeeded.

Extensions supported:

    BASE                             : Yes

    ASYNCREPL                        : Yes

    REMOVEAPI                        : Yes

    MOVEREQ_V2                       : Yes

    GETCHG_COMPRESS                  : Yes

    DCINFO_V1                        : Yes

    RESTORE_USN_OPTIMIZATION         : Yes

    KCC_EXECUTE                      : Yes

    ADDENTRY_V2                      : Yes

    LINKED_VALUE_REPLICATION         : No

    DCINFO_V2                        : Yes

    INSTANCE_TYPE_NOT_REQ_ON_MOD     : Yes

    CRYPTO_BIND                      : Yes

    GET_REPL_INFO                    : Yes

    STRONG_ENCRYPTION                : Yes

    DCINFO_VFFFFFFFF                 : Yes

    TRANSITIVE_MEMBERSHIP            : Yes

    ADD_SID_HISTORY                  : Yes

    POST_BETA3                       : Yes

    GET_MEMBERSHIPS2                 : Yes

    GETCHGREQ_V6 (WHISTLER PREVIEW)  : Yes

    NONDOMAIN_NCS                    : Yes

    GETCHGREQ_V8 (WHISTLER BETA 1)   : Yes

    GETCHGREPLY_V5 (WHISTLER BETA 2) : Yes

    GETCHGREPLY_V6 (WHISTLER BETA 2) : Yes

    ADDENTRYREPLY_V3 (WHISTLER BETA 3): Yes

    GETCHGREPLY_V7 (WHISTLER BETA 3) : Yes

    VERIFY_OBJECT (WHISTLER BETA 3)  : Yes

    XPRESS_COMPRESSION               : Yes

Repl epoch: 0

---------------------------------

Ran Test GPOtool (DC1)

---------------------------------

Validating DCs...

Available DCs:

DC1.domain.com

Searching for policies...

Found 7 policies

----------

Policy {1886644A-ACB8-4BC7-90E9-BAE1FA4FC1F2}

Friendly name: File and Print Sharing (avast deployment)

Policy OK

----------

Policy {31B2F340-016D-11D2-945F-00C04FB984F9}

Friendly name: Default Domain Policy

Policy OK

----------

Policy {39205F28-8F6C-4936-A4C7-ADFE234CBDA1}

Friendly name: IE Restriction

Policy OK

----------

Policy {5DBB01F7-A49D-4254-AC59-0891E124F83B}

Friendly name: File and Print Enable & ICF Disable

Policy OK

----------

Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}

Friendly name: Default Domain Controllers Policy

Policy OK

----------

Policy {C8D887EA-2384-4F93-AF04-0DA5A9C9EC78}

Friendly name: New Group Policy Object

Policy OK

----------

Policy {E9EDFD1A-DFB7-48DA-870B-3FDCD2BF7C8D}

Friendly name: Nonexe

Policy OK

----------

Policies OK

---------------------------------

Ran Test GPOtool (DC2)

---------------------------------

Validating DCs...

Available DCs:

DC1.domain.com

Searching for policies...

Found 7 policies

---------------

Policy {1886644A-ACB8-4BC7-90E9-BAE1FA4FC1F2}

Friendly name: File and Print Sharing (avast deployment)

Policy OK

---------------

Policy {31B2F340-016D-11D2-945F-00C04FB984F9}

Friendly name: Default Domain Policy

Policy OK

---------------

Policy {39205F28-8F6C-4936-A4C7-ADFE234CBDA1}

Friendly name: IE Restriction

Policy OK

---------------

Policy {5DBB01F7-A49D-4254-AC59-0891E124F83B}

Friendly name: File and Print Enable & ICF Disable

Policy OK

---------------

Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}

Friendly name: Default Domain Controllers Policy

Policy OK

---------------

Policy {C8D887EA-2384-4F93-AF04-0DA5A9C9EC78}

Friendly name: New Group Policy Object

Policy OK

---------------

Policy {E9EDFD1A-DFB7-48DA-870B-3FDCD2BF7C8D}

Friendly name: Nonexe

Policy OK

---------------

Policies OK

---------------

Event Errors:

---------------

The following event errors are read from the newly raised DC (DC2) not only in the first hour, but also in following day, in 24 hours (bellow these will follow the DC1 Errors):

Event Source: MSDTC

Event ID:          53258

d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 1168

No Callstack, CmdLine: C:\WINDOWS\system32\msdtc.exe

Event Source:   MSDTC

Event ID:          4193

MS DTC started with the following settings (OFF = 0 and ON = 1):

  Security Configuration:

      Network Administration of Transactions = 0,

      Network Clients = 0,

      Inbound Distributed Transactions using Native MSDTC Protocol = 0,

      Outbound Distributed Transactions using Native MSDTC Protocol = 0,

      Transaction Internet Protocol (TIP) = 0,

      XA Transactions = 0

  Filtering Duplicate events = 1

Event Source:   EventSystem

Event ID:          4625

Description:

The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds.  The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.

Event Source:   AutoEnrollment

Event Category:            None

Event ID:          13

Description:

Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80040154).  Class not registered

Event Source:   ESENT

Event ID:          101

Description:

lsass (388) The database engine stopped.

Event Source:   Userenv

Event ID:          1517

Description:

Windows saved user S-1-5-00-12345678901-1234567890-1234567890-500 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

Event Source:   MSDTC

Event ID:          4143

Description:

MS DTC has detected that a DC Promotion has happened since the last time the MS DTC service was started.

Event Source:   MSDTC

Event ID:          53258

Info: Same as above 53258

Event Source:   LoadPerf

Event ID:          1001

Description:

Performance counters for the MSDTC (Distributed Transaction Coordinator) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.

Event Source:   LoadPerf

Event ID:          1000

Description:

Performance counters for the MSDTC (Distributed Transaction Coordinator) service were loaded successfully. The Record Data contains the new index values assigned to this service.

Event Source:   MSDTC

Event ID:          4104

Description:

The Microsoft Distributed Transaction Coordinator service was successfully installed.

Event Source:   MSDTC

Event ID:          4143

Description:

MS DTC has detected that a DC Promotion has happened since the last time the MS DTC service was started.

Event Source:   MSDTC

Event ID:          53258

Description:

MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 3580

No Callstack,

 CmdLine: C:\WINDOWS\system32\msdtc.exe

Event Source:   LoadPerf

Event ID:          1001

Description:

Performance counters for the ContentIndex (ContentIndex) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.

Event Source:   LoadPerf

Event ID:          1001

Description:

Performance counters for the ContentFilter (ContentFilter) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.

Event Source:   LoadPerf

Event ID:          1001

Description:

Performance counters for the ISAPISearch (ISAPISearch) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.

Event Source:   HHCTRL

Event ID:          1904

Description:

The description for Event ID ( 1904 ) in Source ( HHCTRL ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer.

You may be able to use the /AUXSOURCE= flag to retrieve this description;

The following information is part of the event:  about:blank

Event Source:   SceSrv

Event ID:          1003

Description:

Notification of policy change from LSA/SAM has been retried and failed. Error 4312 to save policy change for account S-1-5-00 in the default GPOs. For more debugging information, please look security\logs\scepol.log under Windows root.

Event Source:   AutoEnrollment

Event ID:          13

Description:

Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80040154).  Class not registered

Event Source:   MSDTC

Event ID:          53258

Description:

MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 1144

No Callstack,

 CmdLine: C:\WINDOWS\system32\msdtc.exe

Event Source:   Userenv

Event ID:          1058

Description:

Windows cannot access the file gpt.ini for GPO CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=domain,DC=com. The file must be present at the location <\\domain.com\sysvol\domain.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.

Event Source:   Userenv

Event ID:          1030

Description:

Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

---------------------------------

NOTE: Following are the (PDC) DC1 Event Errors. Following errors, mostly in 24 hours below:

---------------------------------

Event Source:   Userenv

Event ID:          1058

Description:

Windows cannot access the file gpt.ini for GPO CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=Domain,DC=com. The file must be present at the location <\\doamain.com\sysvol\doamain.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.

Event Source:   Userenv

Event ID:          1030

Description:

Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Event Source:   NTDS Replication

Event ID:          1226

Description:

The following object was created on a remote domain controller with an object name that already exists on the local domain controller.

Object:

DC=12345678-1234-5678-abcd-12345678901._msdcs,DC=Domain.com,CN=MicrosoftDNS,CN=System,DC=domain,DC=com

Object GUID:

87654321-1234-5678-abcd-123456789012

Existing object GUID:

43214321-1234-5678-abcd-123456789012

The object with the following GUID will be renamed since the other object had this name more recently.

Object GUID:

87654321-1234-5678-abcd-123456789012

Renamed object name:

12345678-1234-5678-abcd-12345678901._msdcs

CNF:87654321-1234-5678-abcd-123456789012

Event Source:   NTDS KCC

Event ID:          1925

Description:

The attempt to establish a replication link for the following writable directory partition failed.

Directory partition:

CN=Configuration,DC=domain,DC=com

Source domain controller:

CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com

Source domain controller address:

12345678-1234-5678-abcd-12345678901._msdcs.domain.com

Intersite transport (if any):

This domain controller will be unable to replicate with the source domain controller until this problem is corrected. 

User Action

Verify if the source domain controller is accessible or network connectivity is available.

Additional Data

Error value:

8524 The DSA operation is unable to proceed because of a DNS lookup failure.

Event Source:   NTDS KCC

Event ID:          1104

Description:

The Knowledge Consistency Checker (KCC) successfully terminated the following change notifications.

Directory partition:

DC=DOMAIN,DC=com

Destination network address:

12345678-1234-5678-abcd-12345678901._msdcs.DOMAIN.com

Destination domain controller (if available):

CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=com

This event can occur if either this domain controller or the destination domain controller has been moved to another site.

Event Source:   NTDS Replication

Event ID:          1226

Description:

The following object was created on a remote domain controller with an object name that already exists on the local domain controller.

Object:

DC=12345678-1234-5678-abcd-12345678901._msdcs,DC=Domain.com,CN=MicrosoftDNS,CN=System,DC=domain,DC=com

Object GUID:

87654321-1234-5678-abcd-123456789012

Existing object GUID:

43214321-1234-5678-abcd-123456789012

The object with the following GUID will be renamed since the other object had this name more recently.

Object GUID:

87654321-1234-5678-abcd-123456789012

Renamed object name:

12345678-1234-5678-abcd-12345678901._msdcs

CNF:87654321-1234-5678-abcd-123456789012

Event Source:   NTDS Replication

Event ID:          1226

Description:

The following object was created on a remote domain controller with an object name that already exists on the local domain controller.

Object:

DC=abcd4321-1234-5678-abcd-123456789012._msdcs,DC=Domain.com,CN=MicrosoftDNS,CN=System,DC=domain,DC=com

Object GUID:

dcert321-1234-5678-abcd-123456789210

Existing object GUID:

fghij321-1234-5678-abcd-123456789210

The object with the following GUID will be renamed since the other object had this name more recently.

Object GUID:

fghij321-1234-5678-abcd-123456789210

Renamed object name:

abcd4321-1234-5678-abcd-123456789012._msdcs

CNF:fghij321-1234-5678-abcd-123456789210

Please note:

DC1

Currently, DC1 has no Application, System, or Directory Service Errors since a few days past.

However, replication, I.e. KCC has not run since error showed, and then showing will be shut down.

The <st1:place w:st="on">Main</st1:place> “DNS Manager” shows four sets of Reverse records (225.in-addr.arpa, 127.in-addr.arpa, 0.in-addr.arpa, and 1.168.192.in-addr.arpa, whereas the created mmc will show the only and correct set “1.168.192.in-addr.arpa”.

One item I know I will perform is re-do the reverse DNS Zones.

DC2

Still shows many errors: Application Error Events 13, 1030, 1058.

I look forward to any help that may assist me in finding a solution to this issue in this Forum.  =)