| Author | Messages | |
bwatson
Posts:49
 | | 01/13/2010 11:40 PM |
| I ran into an issue in which I attempted to promote in a Domain
Controller (Windows 2003 R2 single domain single forest) that has a
hostname identical to a Domain Controller that USED to exist but was
successfully demoted normally awhile back. This new Domain Controller
was a new, built from scratch machine that otherwise shared nothing with
the other DC that used to exist.
While I was actually able to promote the DC, and it initially said
everything was fine, I soon ran into issues after the initial reboot.
The DC would never form replication links, the event logs were filled
with all sorts of Access Denied errors all over the place which I will
show examples of further down.
Ultimately, the only way this particular machine functioned as a Domain
Controller was when I demoted it, renamed it something new, and promoted
it.
So what would I be running into in Active Directory that would cause the
domain to throw such a fit? Why would there be any record of the name
of a Domain Controller that used to exist if it was demoted properly?
The Event Log was filled with various errors all revolving around
"Access Denied". For example...
Application Log:
Error - Source: Userenv - Event ID: 1053
Windows cannot determine the user or computer name. (Access is denied.
). Group Policy processing aborted.
Directory Service:
Warning - Source: NTDS KCC - Event ID: 1925 - Note: In this case, this
warning happened over and over, complaining about every partition on
every other Domain Controller in that it was denied access.
The attempt to establish a replication link for the following writable
directory partition failed.
Directory partition:
CN=Configuration,DC=domain,DC=com
Source domain controller:
CN=NTDS
Settings,CN=DomainController,CN=Servers,CN=SITE,CN=Sites,CN=Configuratio
n,DC=domain,DC=com
Source domain controller address:
75f14bcd-1788-46f4-bdc9-0dec4958590a._msdcs.domain.com
Intersite transport (if any):
CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=domain,DC=com
This domain controller will be unable to replicate with the source
domain controller until this problem is corrected.
User Action
Verify if the source domain controller is accessible or network
connectivity is available.
Additional Data
Error value:
5 Access is denied.
Error - Source: NTDS KCC - Event ID: 1311
The Knowledge Consistency Checker (KCC) has detected problems with the
following directory partition.
Directory partition:
DC=ForestDnsZones,DC=domain,DC=com
There is insufficient site connectivity information in Active Directory
Sites and Services for the KCC to create a spanning tree replication
topology. Or, one or more domain controllers with this directory
partition are unable to replicate the directory partition information.
This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following
actions:
- Publish sufficient site connectivity information so that the KCC can
determine a route by which this directory partition can reach this site.
This is the preferred option.
- Add a Connection object to a domain controller that contains the
directory partition in this site from a domain controller that contains
the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this
condition, see previous events logged by the KCC that identify the
inaccessible domain controllers.
Warning - Source: NTDS KCC - Event ID: 1566
All domain controllers in the following site that can replicate the
directory partition over this transport are currently unavailable.
Site:
CN=SITE,CN=Sites,CN=Configuration,DC=domain,DC=com
Directory partition:
DC=ForestDnsZones,DC=appsig,DC=com
Transport:
CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=domain,DC=com
And continuing on and on.
Thoughts?
~Ben
| | | |
| laurahcomputing
Posts:147
| | 01/13/2010 11:56 PM |
| Old DC might not have been fully and/or cleanly demoted - metadata
and/or holdover DNS records pointing to the old DC still lingering
about.
On Wed, Jan 13, 2010 at 6:38 PM, WATSON, BEN <bwatson@appsig.com> wrote:
> I ran into an issue in which I attempted to promote in a Domain Controller
> (Windows 2003 R2 single domain single forest) that has a hostname identical
> to a Domain Controller that USED to exist but was successfully demoted
> normally awhile back. This new Domain Controller was a new, built from
> scratch machine that otherwise shared nothing with the other DC that used to
> exist.
>
>
>
> While I was actually able to promote the DC, and it initially said
> everything was fine, I soon ran into issues after the initial reboot. The
> DC would never form replication links, the event logs were filled with all
> sorts of Access Denied errors all over the place which I will show examples
> of further down.
>
>
>
> Ultimately, the only way this particular machine functioned as a Domain
> Controller was when I demoted it, renamed it something new, and promoted it.
>
>
>
> So what would I be running into in Active Directory that would cause the
> domain to throw such a fit? Why would there be any record of the name of a
> Domain Controller that used to exist if it was demoted properly?
>
>
>
> The Event Log was filled with various errors all revolving around “Access
> Denied”. For example…
>
>
>
> Application Log:
>
>
>
> Error – Source: Userenv – Event ID: 1053
>
> Windows cannot determine the user or computer name. (Access is denied. ).
> Group Policy processing aborted.
>
>
>
> Directory Service:
>
>
>
> Warning – Source: NTDS KCC – Event ID: 1925 – Note: In this case, this
> warning happened over and over, complaining about every partition on every
> other Domain Controller in that it was denied access.
>
> The attempt to establish a replication link for the following writable
> directory partition failed.
>
>
>
> Directory partition:
>
> CN=Configuration,DC=domain,DC=com
>
> Source domain controller:
>
> CN=NTDS
> Settings,CN=DomainController,CN=Servers,CN=SITE,CN=Sites,CN=Configuration,DC=domain,DC=com
>
> Source domain controller address:
>
> 75f14bcd-1788-46f4-bdc9-0dec4958590a._msdcs.domain.com
>
> Intersite transport (if any):
>
> CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=com
>
>
>
> This domain controller will be unable to replicate with the source domain
> controller until this problem is corrected.
>
>
>
> User Action
>
> Verify if the source domain controller is accessible or network connectivity
> is available.
>
>
>
> Additional Data
>
> Error value:
>
> 5 Access is denied.
>
>
>
> Error – Source: NTDS KCC – Event ID: 1311
>
> The Knowledge Consistency Checker (KCC) has detected problems with the
> following directory partition.
>
>
>
> Directory partition:
>
> DC=ForestDnsZones,DC=domain,DC=com
>
>
>
> There is insufficient site connectivity information in Active Directory
> Sites and Services for the KCC to create a spanning tree replication
> topology. Or, one or more domain controllers with this directory partition
> are unable to replicate the directory partition information. This is
> probably due to inaccessible domain controllers.
>
>
>
> User Action
>
> Use Active Directory Sites and Services to perform one of the following
> actions:
>
> - Publish sufficient site connectivity information so that the KCC can
> determine a route by which this directory partition can reach this site.
> This is the preferred option.
>
> - Add a Connection object to a domain controller that contains the directory
> partition in this site from a domain controller that contains the same
> directory partition in another site.
>
>
>
> If neither of the Active Directory Sites and Services tasks correct this
> condition, see previous events logged by the KCC that identify the
> inaccessible domain controllers.
>
>
>
> Warning – Source: NTDS KCC – Event ID: 1566
>
> All domain controllers in the following site that can replicate the
> directory partition over this transport are currently unavailable.
>
>
>
> Site:
>
> CN=SITE,CN=Sites,CN=Configuration,DC=domain,DC=com
>
> Directory partition:
>
> DC=ForestDnsZones,DC=appsig,DC=com
>
> Transport:
>
> CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=com
>
>
>
> And continuing on and on.
>
>
>
> Thoughts?
>
>
>
> ~Ben
--
-----------------------
Laura E. Hunter
Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
Microsoft MVP, Directory Services
(https://mvp.support.microsoft.com/profile/laura)
Author, Active Directory Consultant's Field Guide (http://tinyurl.com/7f8ll)
Author, Active Directory Cookbook, Third Edition (http://tinyurl.com/7kp3ct)
| | | |
|
|