I am in the process of migrating our ADDS to a test environment.
The steps were as such:
- Install Win2008R2; dcpromo.exe to DC
- Isolate DC (separate network)
- Create DNS server with A records & Update rights for domain + domaincontroller
- Ran ipconfig /flushdns + ipconfig /registerdns
- Confirmed _msdcs entries in DNS server
- Reseize FMSO roles on DC
- Performed metadata cleanup
Environment:
- Windows 2008 R2 with ADDS Roles
- DNS Server (separate machine)
Symptoms:
- Best Practices Analyzer fails with 23 warnings, all related to:
«This domain controller must register its correct IP addresses with the DNS server» - Event ID: 1126 — Active Directory Domain Services was unable to establish a connection with the global catalog
- nltest /dsgetdc:domainname
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN - nltest /server:lefdc /sc_query:domainname
I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE - dcdiag /test:dns reports — OK
- dcdiag /fix — reports:
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located — All GC’s are down.
Full logs provided below:
servername : LEFDC1
PS C:Windowssystem32> nslookup Default Server: testdns.my.domain.name Address: 10.140.1.10 > set type=all > _ldap._tcp.dc._msdcs.my.domain.name Server: testdns.my.domain.name Address: 10.140.1.10 _ldap._tcp.dc._msdcs.my.domain.name SRV service location: priority = 0 weight = 100 port = 389 svr hostname = lefdc1.my.domain.name my.domain.name nameserver = testdns.my.domain.name lefdc1.my.domain.name internet address = 10.140.1.15 testdns.my.domain.name internet address = 10.140.1.10 PS C:Windowssystem32> nltest /server:lefdc /sc_query:my.domain.name I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE PS C:Windowssystem32> dcdiag /test:dns /v /e /f:c:dcdiag.log PS C:Windowssystem32> nltest /dsgetdc:my.domain.name Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN PS C:Windowssystem32> ntdsutil C:Windowssystem32ntdsutil.exe: roles fsmo maintenance: connection server connections: connect to server lefdc1.my.domain.name Binding to lefdc1.my.domain.name ... Connected to lefdc1.my.domain.name using credentials of locally logged on user. server connections: quit fsmo maintenance: seize pdc Attempting safe transfer of PDC FSMO before seizure. FSMO transferred successfully - seizure not required. Server "lefdc1.my.domain.name" knows about 5 roles Schema - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,DC= edu Naming Master - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,DC=simm ons,dc=name PDC - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name RID - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name Infrastructure - CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,DC=sim mons,dc=name fsmo maintenance: PS C:Windowssystem32> dcdiag /fix Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = lefdc1 * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-NameLEFDC1 Starting test: Connectivity ......................... LEFDC1 passed test Connectivity Doing primary tests Testing server: Default-First-Site-NameLEFDC1 Starting test: Advertising Fatal Error:DsGetDcName (LEFDC1) call failed, error 1355 The Locator could not find the server. ......................... LEFDC1 failed test Advertising Starting test: FrsEvent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. ......................... LEFDC1 passed test FrsEvent Starting test: DFSREvent ......................... LEFDC1 passed test DFSREvent Starting test: SysVolCheck ......................... LEFDC1 passed test SysVolCheck Starting test: KccEvent A warning event occurred. EventID: 0x80000B46 Time Generated: 10/07/2013 09:14:11 Event String: The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. ......................... LEFDC1 passed test KccEvent Starting test: KnowsOfRoleHolders ......................... LEFDC1 passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... LEFDC1 passed test MachineAccount Starting test: NCSecDesc ......................... LEFDC1 passed test NCSecDesc Starting test: NetLogons Unable to connect to the NETLOGON share! (\LEFDC1netlogon) [LEFDC1] An net use or LsaPolicy operation failed with error 67, The network name cannot be found.. ......................... LEFDC1 failed test NetLogons Starting test: ObjectsReplicated ......................... LEFDC1 passed test ObjectsReplicated Starting test: Replications ......................... LEFDC1 passed test Replications Starting test: RidManager ......................... LEFDC1 passed test RidManager Starting test: Services ......................... LEFDC1 passed test Services Starting test: SystemLog A warning event occurred. EventID: 0x0000A001 Time Generated: 10/07/2013 08:47:14 Event String: The Security System could not establish a secured connection with the server ldap/my.domain.name/ad.simmons. edu@my.domain.name. No authentication protocol was available. An error event occurred. EventID: 0xC00038D6 Time Generated: 10/07/2013 08:50:24 Event String: The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data. A warning event occurred. EventID: 0x000016AA Time Generated: 10/07/2013 08:59:19 Event String: None of the IP addresses (10.140.1.15) of this Domain Controller map to the configured site 'Default-First-S ite-Name'. While this may be a temporary situation due to IP address changes, it is generally recommended that the IP ad dress of the Domain Controller (accessible to machines in its domain) maps to the Site which it services. If the above l ist of IP addresses is stable, consider moving this server to a site (or create one if it does not already exist) such t hat the above IP address maps to the selected site. This may require the creation of a new subnet object (whose range in cludes the above IP address) which maps to the selected site object. A warning event occurred. EventID: 0x000003F6 Time Generated: 10/07/2013 09:08:02 Event String: Name resolution for the name www.microsoft.com timed out after none of the configured DNS servers responded. An error event occurred. EventID: 0xC0002719 Time Generated: 10/07/2013 09:08:23 Event String: DCOM was unable to communicate with the computer 10.140.1.10 using any of the configured protocols. A warning event occurred. EventID: 0x8000001D Time Generated: 10/07/2013 09:14:27 Event String: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KD C certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To cor rect this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. A warning event occurred. EventID: 0x000016AA Time Generated: 10/07/2013 09:14:31 Event String: None of the IP addresses (10.140.1.15) of this Domain Controller map to the configured site 'Default-First-S ite-Name'. While this may be a temporary situation due to IP address changes, it is generally recommended that the IP ad dress of the Domain Controller (accessible to machines in its domain) maps to the Site which it services. If the above l ist of IP addresses is stable, consider moving this server to a site (or create one if it does not already exist) such t hat the above IP address maps to the selected site. This may require the creation of a new subnet object (whose range in cludes the above IP address) which maps to the selected site object. ......................... LEFDC1 failed test SystemLog Starting test: VerifyReferences ......................... LEFDC1 passed test VerifyReferences Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : ad Starting test: CheckSDRefDom ......................... ad passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ad passed test CrossRefValidation Running enterprise tests on : my.domain.name Starting test: LocatorCheck Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 A Global Catalog Server could not be located - All GC's are down. Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355 A KDC could not be located - All the KDCs are down. ......................... my.domain.name failed test LocatorCheck Starting test: Intersite ......................... my.domain.name passed test Intersite PS C:Windowssystem32> PS C:Windowssystem32> ntdsutil C:Windowssystem32ntdsutil.exe: metadata cleanup metadata cleanup: connections server connections: connect to server lefdc1 Binding to lefdc1 ... Connected to lefdc1 using credentials of locally logged on user. server connections: q metadata cleanup: select operation target select operation target: list domains Found 1 domain(s) 0 - dc=my,dc=domain,dc=name select operation target: select domain 0 No current site Domain - dc=my,dc=domain,dc=name No current server No current Naming Context select operation target: list sites Found 2 site(s) 0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name 1 - CN=SchoolofManagement,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name select operation target: select site 0 Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name Domain - dc=my,dc=domain,dc=name No current server No current Naming Context
Output from dcdiag /testdns:
Directory Server Diagnosis Performing initial setup: Trying to find home server... * Verifying that the local machine lefdc1, is a Directory Server. Home Server = lefdc1 * Connecting to directory service on server lefdc1. * Identified AD Forest. Collecting AD specific global data * Collecting site info. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),....... The previous call succeeded Iterating through the sites Looking at base site object: CN=NTDS Site Settings,CN=SchoolofManagement,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name Getting ISTG and options for the site Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name Getting ISTG and options for the site * Identifying all servers. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),....... The previous call succeeded.... The previous call succeeded Iterating through the list of servers Getting information for the server CN=NTDS Settings,CN=LEFDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=my,dc=domain,dc=name objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected * Identifying all NC cross-refs. * Found 1 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-NameLEFDC1 Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity * Active Directory RPC Services Check ......................... LEFDC1 passed test Connectivity Doing primary tests Testing server: Default-First-Site-NameLEFDC1 Test omitted by user request: Advertising Test omitted by user request: CheckSecurityError Test omitted by user request: CutoffServers Test omitted by user request: FrsEvent Test omitted by user request: DFSREvent Test omitted by user request: SysVolCheck Test omitted by user request: KccEvent Test omitted by user request: KnowsOfRoleHolders Test omitted by user request: MachineAccount Test omitted by user request: NCSecDesc Test omitted by user request: NetLogons Test omitted by user request: ObjectsReplicated Test omitted by user request: OutboundSecureChannels Test omitted by user request: Replications Test omitted by user request: RidManager Test omitted by user request: Services Test omitted by user request: SystemLog Test omitted by user request: Topology Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: VerifyReferences Test omitted by user request: VerifyReplicas Starting test: DNS DNS Tests are running and not hung. Please wait a few minutes... See DNS test in enterprise tests section for results ......................... LEFDC1 passed test DNS Running partition tests on : Schema Test omitted by user request: CheckSDRefDom Test omitted by user request: CrossRefValidation Running partition tests on : Configuration Test omitted by user request: CheckSDRefDom Test omitted by user request: CrossRefValidation Running partition tests on : ad Test omitted by user request: CheckSDRefDom Test omitted by user request: CrossRefValidation Running enterprise tests on : my.domain.name Starting test: DNS Test results for domain controllers: DC: lefdc1.my.domain.name Domain: my.domain.name TEST: Authentication (Auth) Authentication test: Successfully completed TEST: Basic (Basc) The OS Microsoft Windows Server 2008 R2 Enterprise (Service Pack level: 1.0) is supported. NETLOGON service is running kdc service is running DNSCACHE service is running DNS service is running DC is not a DNS server Network adapters information: Adapter [00000007] Broadcom NetXtreme 57xx Gigabit Controller: MAC address is 00:19:B9:30:85:DF IP address: 10.140.1.15 DNS servers: 10.140.1.10 (<name unavailable>) [Valid] The A host record(s) for this DC was found The SOA record for the Active Directory zone was found TEST: Records registration (RReg) Network Adapter [00000007] Broadcom NetXtreme 57xx Gigabit Controller: Matching CNAME record found at DNS server 10.140.1.10: 228de4e0-d8f0-447c-aad3-9c07ca7dd6c8._msdcs.my.domain.name Matching A record found at DNS server 10.140.1.10: lefdc1.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _ldap._tcp.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _ldap._tcp.a7ed6b46-86fe-471c-9a41-9fddd53d2e4c.domains._msdcs.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _kerberos._tcp.dc._msdcs.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _ldap._tcp.dc._msdcs.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _kerberos._tcp.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _kerberos._udp.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _kpasswd._tcp.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _ldap._tcp.Default-First-Site-Name._sites.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _kerberos._tcp.Default-First-Site-Name._sites.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _ldap._tcp.gc._msdcs.my.domain.name Matching A record found at DNS server 10.140.1.10: gc._msdcs.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _gc._tcp.Default-First-Site-Name._sites.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.name Matching SRV record found at DNS server 10.140.1.10: _ldap._tcp.pdc._msdcs.my.domain.name Summary of test results for DNS servers used by the above domain controllers: DNS server: 10.140.1.10 (<name unavailable>) All tests passed on this DNS server Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered Summary of DNS test results: Auth Basc Forw Del Dyn RReg Ext _________________________________________________________________ Domain: my.domain.name lefdc1 PASS PASS n/a n/a n/a PASS n/a ......................... my.domain.name passed test DNS Test omitted by user request: LocatorCheck Test omitted by user request: Intersite
Output from dcdiag /q
Fatal Error:DsGetDcName (LEFDC1) call failed, error 1355 The Locator could not find the server. ......................... LEFDC1 failed test Advertising Unable to connect to the NETLOGON share! (\LEFDC1netlogon) [LEFDC1] An net use or LsaPolicy operation failed with error 67, The network name cannot be found.. ......................... LEFDC1 failed test NetLogons An error event occurred. EventID: 0xC00038D6 Time Generated: 10/07/2013 08:50:24 Event String: The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data. An error event occurred. EventID: 0xC0002719 Time Generated: 10/07/2013 09:08:23 Event String: DCOM was unable to communicate with the computer 10.140.1.10 using any of the configured protocols. ......................... LEFDC1 failed test SystemLog Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 A Global Catalog Server could not be located - All GC's are down. Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355 A KDC could not be located - All the KDCs are down. ......................... my.domain.name failed test LocatorCheck
Yesterday I used DCPROMO to remove a windows 2008 DC (SRV2008) from our domain. All FSMO roles were successfully transferred to the 2016 DC (SRV2016) prior to demoting SRV2008 as a DC. The DCPROMO worked without issue and DCDIAG did not show anything of concern.
Today when running DCDIAG we are getting advertising errors that appear to be related the time service (Shown Below).
SRV2016 is the last DC in my domain — I plan to rebuild the HW SRV2008 is on with a new 2016 server DC so I have two DC’s.
SRV2016 is pointing to itself for DNS. DNS on SRV2016 is successfully servicing request from my clients.
All users are currently logging in w/o issue. Any ideas our there? Happy to send additional info — thanks for taking the time.
**************************************************************************************************************
C:Usersadministrator.APM>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server…
Home Server = APM-SRV-AD03
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-NameAPM-SRV-AD03
Starting test: Connectivity
……………………. APM-SRV-AD03 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-NameAPM-SRV-AD03
Starting test: Advertising
Warning: APM-SRV-AD03 is not advertising as a time server.
……………………. APM-SRV-AD03 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
……………………. APM-SRV-AD03 passed test FrsEvent
Starting test: DFSREvent
……………………. APM-SRV-AD03 passed test DFSREvent
Starting test: SysVolCheck
……………………. APM-SRV-AD03 passed test SysVolCheck
Starting test: KccEvent
……………………. APM-SRV-AD03 passed test KccEvent
Starting test: KnowsOfRoleHolders
……………………. APM-SRV-AD03 passed test KnowsOfRoleHolders
Starting test: MachineAccount
……………………. APM-SRV-AD03 passed test MachineAccount
Starting test: NCSecDesc
……………………. APM-SRV-AD03 passed test NCSecDesc
Starting test: NetLogons
……………………. APM-SRV-AD03 passed test NetLogons
Starting test: ObjectsReplicated
……………………. APM-SRV-AD03 passed test ObjectsReplicated
Starting test: Replications
……………………. APM-SRV-AD03 passed test Replications
Starting test: RidManager
……………………. APM-SRV-AD03 passed test RidManager
Starting test: Services
……………………. APM-SRV-AD03 passed test Services
Starting test: SystemLog
……………………. APM-SRV-AD03 passed test SystemLog
Starting test: VerifyReferences
……………………. APM-SRV-AD03 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
……………………. DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
……………………. DomainDnsZones passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
……………………. ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
……………………. ForestDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
……………………. Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
……………………. Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
……………………. Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
……………………. Configuration passed test CrossRefValidation
Running partition tests on : apm
Starting test: CheckSDRefDom
……………………. apm passed test CheckSDRefDom
Starting test: CrossRefValidation
……………………. apm passed test CrossRefValidation
Running enterprise tests on : apm.local
Starting test: LocatorCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
……………………. apm.local failed test LocatorCheck
Starting test: Intersite
……………………. apm.local passed test Intersite
C:Usersadministrator.APM>
Содержание
- Warning dcgetdcname time server call failed error 1355
- Answered by:
- Question
- Warning dcgetdcname time server call failed error 1355
- Answered by:
- Question
Warning dcgetdcname time server call failed error 1355
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
I am in the process of migrating our ADDS to a test environment.
The steps were as such:
- Install Win2008R2; dcpromo.exe to DC
- Isolate DC (separate network)
- Create DNS server with A records & Update rights for domain + domaincontroller
- Ran ipconfig /flushdns + ipconfig /registerdns
- Confirmed _msdcs entries in DNS server
- Reseize FMSO roles on DC
- Performed metadata cleanup
- Windows 2008 R2 with ADDS Roles
- DNS Server (separate machine)
- Best Practices Analyzer fails with 23 warnings, all related to:
«This domain controller must register its correct IP addresses with the DNS server» - Event ID: 1126 — Active Directory Domain Services was unable to establish a connection with the global catalog
- nltest /dsgetdc:domainname
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN - nltest /server:lefdc /sc_query:domainname
I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE - dcdiag /test:dnsreports — OK
- dcdiag /fix — reports:
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located — All GC’s are down.
Full logs provided below:
servername : LEFDC1
Output from dcdiag /testdns:
Output from dcdiag /q
Источник
Warning dcgetdcname time server call failed error 1355
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
I have one Domain Controller on windows server 2012
and many problems with them.
the main problem: that I can open ADSI Edit console only, all others AD consoles don’t work
DCDIAG/FIX
Directory Server Diagnosis |
Performing initial setup: |
Trying to find home server. |
Home Server = dc01 |
* Identified AD Forest. |
Done gathering initial info. |
Doing initial required tests |
Testing server: Default-First-Site-NameDC01 |
Starting test: Connectivity |
. DC01 passed test Connectivity |
Doing primary tests |
Testing server: Default-First-Site-NameDC01 |
Starting test: Advertising |
Fatal Error:DsGetDcName (DC01) call failed, error 1355 |
The Locator could not find the server. |
. DC01 failed test Advertising |
Starting test: FrsEvent |
. DC01 passed test FrsEvent |
Starting test: DFSREvent |
. DC01 passed test DFSREvent |
Starting test: SysVolCheck |
. DC01 passed test SysVolCheck |
Starting test: KccEvent |
An error event occurred. EventID: 0xC0000466 |
Time Generated: 06/11/2013 15:41:08 |
Event String: |
Active Directory Domain Services was unable to establish a connectio |
n with the global catalog. |
. DC01 failed test KccEvent |
Starting test: KnowsOfRoleHolders |
. DC01 passed test KnowsOfRoleHolders |
Starting test: MachineAccount |
. DC01 passed test MachineAccount |
Starting test: NCSecDesc |
. DC01 passed test NCSecDesc |
Starting test: NetLogons |
Unable to connect to the NETLOGON share! (\DC01netlogon) |
[DC01] An net use or LsaPolicy operation failed with error 67, |
The network name cannot be found.. |
. DC01 failed test NetLogons |
Starting test: ObjectsReplicated |
. DC01 passed test ObjectsReplicated |
Starting test: Replications |
. DC01 passed test Replications |
Starting test: RidManager |
. DC01 passed test RidManager |
Starting test: Services |
. DC01 passed test Services |
Starting test: SystemLog |
An error event occurred. EventID: 0x0000271A |
Time Generated: 06/11/2013 15:24:45 |
Event String: |
The server <9ba05972-f6a8-11cf-a442-00a0c90a8f39>did not register w |
ith DCOM within the required timeout. |
A warning event occurred. EventID: 0x000727A5 |
Time Generated: 06/11/2013 15:24:46 |
Event String: |
The WinRM service is not listening for WS-Management requests. |
A warning event occurred. EventID: 0x80040022 |
Time Generated: 06/11/2013 15:25:39 |
Event String: |
The driver disabled the write cache on device DeviceHarddisk0DR0. |
A warning event occurred. EventID: 0x80040022 |
Time Generated: 06/11/2013 15:25:39 |
Event String: |
The driver disabled the write cache on device DeviceHarddisk0DR0. |
A warning event occurred. EventID: 0x80040022 |
Time Generated: 06/11/2013 15:25:39 |
Event String: |
The driver disabled the write cache on device DeviceHarddisk0DR0. |
A warning event occurred. EventID: 0x000003F6 |
Time Generated: 06/11/2013 15:26:05 |
Event String: |
Name resolution for the name _ldap._tcp.dc._msdcs.domain.local. t |
imed out after none of the configured DNS servers responded. |
A warning event occurred. EventID: 0x800009CF |
Time Generated: 06/11/2013 15:26:08 |
Event String: |
The server service was unable to recreate the share backup because t |
he directory C:backup no longer exists. Please run «net share backup /delete» |
to delete the share, or recreate the directory C:backup. |
A warning event occurred. EventID: 0x00000081 |
Time Generated: 06/11/2013 15:27:15 |
Event String: |
NtpClient was unable to set a domain peer to use as a time source be |
cause of discovery error. NtpClient will try again in 15 minutes and double the |
reattempt interval thereafter. The error was: An existing connection was forcibl |
y closed by the remote host. (0x80072746) |
A warning event occurred. EventID: 0x000727AA |
Time Generated: 06/11/2013 15:27:21 |
Event String: |
The WinRM service failed to create the following SPNs: WSMAN/dc01.ex |
pertpro.local; WSMAN/dc01. |
A warning event occurred. EventID: 0x0000000C |
Time Generated: 06/11/2013 15:27:21 |
Event String: |
Time Provider NtpClient: This machine is configured to use the domai |
n hierarchy to determine its time source, but it is the AD PDC emulator for the |
domain at the root of the forest, so there is no machine above it in the domain |
hierarchy to use as a time source. It is recommended that you either configure a |
reliable time service in the root domain, or manually configure the AD PDC to s |
ynchronize with an external time source. Otherwise, this machine will function a |
s the authoritative time source in the domain hierarchy. If an external time sou |
rce is not configured or used for this computer, you may choose to disable the N |
tpClient. |
A warning event occurred. EventID: 0x00000090 |
Time Generated: 06/11/2013 15:27:37 |
Event String: |
The time service has stopped advertising as a good time source. |
A warning event occurred. EventID: 0xC000042B |
Time Generated: 06/11/2013 15:29:36 |
Event String: |
The RD Session Host server cannot register ‘TERMSRV’ Service Princip |
al Name to be used for server authentication. The following error occured: The s |
pecified domain either does not exist or could not be contacted. |
An error event occurred. EventID: 0x00000469 |
Time Generated: 06/11/2013 15:31:09 |
Event String: |
The processing of Group Policy failed because of lack of network con |
nectivity to a domain controller. This may be a transient condition. A success m |
essage would be generated once the machine gets connected to the domain controll |
er and Group Policy has successfully processed. If you do not see a success mess |
age for several hours, then contact your administrator. |
An error event occurred. EventID: 0x00000469 |
Time Generated: 06/11/2013 15:31:46 |
Event String: |
The processing of Group Policy failed because of lack of network con |
nectivity to a domain controller. This may be a transient condition. A success m |
essage would be generated once the machine gets connected to the domain controll |
er and Group Policy has successfully processed. If you do not see a success mess |
age for several hours, then contact your administrator. |
. DC01 failed test SystemLog |
Starting test: VerifyReferences |
. DC01 passed test VerifyReferences |
Running partition tests on : ForestDnsZones |
Starting test: CheckSDRefDom |
. ForestDnsZones passed test CheckSDRefDom |
Starting test: CrossRefValidation |
. ForestDnsZones passed test |
CrossRefValidation |
Running partition tests on : DomainDnsZones |
Starting test: CheckSDRefDom |
. DomainDnsZones passed test CheckSDRefDom |
Starting test: CrossRefValidation |
. DomainDnsZones passed test |
CrossRefValidation |
Running partition tests on : Schema |
Starting test: CheckSDRefDom |
. Schema passed test CheckSDRefDom |
Starting test: CrossRefValidation |
. Schema passed test CrossRefValidation |
Running partition tests on : Configuration |
Starting test: CheckSDRefDom |
. Configuration passed test CheckSDRefDom |
Starting test: CrossRefValidation |
. Configuration passed test CrossRefValidation |
Running partition tests on : domain |
Starting test: CheckSDRefDom |
. domain passed test CheckSDRefDom |
Starting test: CrossRefValidation |
. domain passed test CrossRefValidation |
Running enterprise tests on : domain.local |
Starting test: LocatorCheck |
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355 |
A Global Catalog Server could not be located — All GC’s are down. |
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 |
A Time Server could not be located. |
The server holding the PDC role is down. |
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error |
1355 |
A Good Time Server could not be located. |
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355 |
A KDC could not be located — All the KDCs are down. |
. domain.local failed test LocatorCheck |
Starting test: Intersite |
. domain.local passed test Intersite |
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc01
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-BF-45-05
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5507:3ae8:676e:4ab9%12(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.191.215(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 251663709
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-27-DB-13-00-15-5D-BF-45-05
DNS Servers . . . . . . . . . . . : 172.16.191.215
NetBIOS over Tcpip. . . . . . . . : Enabled
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Directory Service Event ID 1126
Active Directory Domain Services was unable to establish a connection with the global catalog.
Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200e24
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.
Event Xml:
1126
0
2
18
0
0x8080000000000000
313
Directory Service
dc01.domain.local
3200e24
1355
The specified domain either does not exist or could not be contacted.
SYSTEM Event ID 1129
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
Event Xml:
1129
0
2
0
0
0x8000000000000000
5093
System
dc01.domain.local
1
1532
1
16
1222
The network is not present or not started.
SYSTEM Event ID 10010
The server <9ba05972-f6a8-11cf-a442-00a0c90a8f39>did not register with DCOM within the required timeout.
Event Xml:
Port Query :
Port Local IP State Remote IP:Port
TCP 53 127.0.0.1 LISTENING 0.0.0.0:0
TCP 53 172.16.191.215 LISTENING 0.0.0.0:0
UDP 53 127.0.0.1 *:*
UDP 53 172.16.191.215 *:*
TCP 88 0.0.0.0 LISTENING 0.0.0.0:0
UDP 88 172.16.191.215 *:*
UDP 123 0.0.0.0 *:*
TCP 135 0.0.0.0 LISTENING 0.0.0.0:0
TCP 135 127.0.0.1 ESTABLISHED 127.0.0.1:58949
TCP 135 172.16.191.215 ESTABLISHED 172.16.191.215:58952
UDP 137 172.16.191.215 *:*
UDP 138 172.16.191.215 *:*
TCP 139 172.16.191.215 LISTENING 0.0.0.0:0
TCP 389 0.0.0.0 LISTENING 0.0.0.0:0
TCP 389 127.0.0.1 ESTABLISHED 127.0.0.1:49159
TCP 389 127.0.0.1 ESTABLISHED 127.0.0.1:49160
TCP 389 127.0.0.1 ESTABLISHED 127.0.0.1:49161
TCP 389 172.16.191.215 ESTABLISHED 172.16.191.215:49175
TCP 389 172.16.191.215 ESTABLISHED 172.16.191.215:49180
UDP 389 0.0.0.0 *:*
TCP 445 0.0.0.0 LISTENING 0.0.0.0:0
TCP 464 0.0.0.0 LISTENING 0.0.0.0:0
UDP 464 172.16.191.215 *:*
TCP 593 0.0.0.0 LISTENING 0.0.0.0:0
TCP 636 0.0.0.0 LISTENING 0.0.0.0:0
TCP 3268 0.0.0.0 LISTENING 0.0.0.0:0
TCP 3269 0.0.0.0 LISTENING 0.0.0.0:0
TCP 3389 0.0.0.0 LISTENING 0.0.0.0:0
UDP 3389 0.0.0.0 *:*
UDP 5355 0.0.0.0 *:*
TCP 5985 0.0.0.0 LISTENING 0.0.0.0:0
TCP 9389 0.0.0.0 LISTENING 0.0.0.0:0
TCP 47001 0.0.0.0 LISTENING 0.0.0.0:0
TCP 49152 0.0.0.0 LISTENING 0.0.0.0:0
TCP 49153 0.0.0.0 LISTENING 0.0.0.0:0
TCP 49154 0.0.0.0 LISTENING 0.0.0.0:0
TCP 49155 0.0.0.0 LISTENING 0.0.0.0:0
TCP 49156 0.0.0.0 LISTENING 0.0.0.0:0
TCP 49156 127.0.0.1 ESTABLISHED 127.0.0.1:58950
TCP 49156 172.16.191.215 ESTABLISHED 172.16.191.215:49177
TCP 49158 0.0.0.0 LISTENING 0.0.0.0:0
TCP 49159 127.0.0.1 ESTABLISHED 127.0.0.1:389
TCP 49160 127.0.0.1 ESTABLISHED 127.0.0.1:389
TCP 49161 127.0.0.1 ESTABLISHED 127.0.0.1:389
TCP 49170 0.0.0.0 LISTENING 0.0.0.0:0
TCP 49171 0.0.0.0 LISTENING 0.0.0.0:0
TCP 49175 172.16.191.215 ESTABLISHED 172.16.191.215:389
TCP 49177 172.16.191.215 ESTABLISHED 172.16.191.215:49156
TCP 49180 172.16.191.215 ESTABLISHED 172.16.191.215:389
TCP 49182 0.0.0.0 LISTENING 0.0.0.0:0
UDP 49783 127.0.0.1 *:*
TCP 49804 172.16.191.215 ESTABLISHED 172.16.191.69:445
UDP 57560 127.0.0.1 *:*
TCP 58949 127.0.0.1 ESTABLISHED 127.0.0.1:135
TCP 58950 127.0.0.1 ESTABLISHED 127.0.0.1:49156
TCP 58952 172.16.191.215 ESTABLISHED 172.16.191.215:135
Источник
__NOTOC__==Symptoms==
Advertising check
When performing a dcdiag
on a Windows domain controller the following
error can appear:
Starting test: Advertising
The DC DC1 is advertising itself as a DC and having a DS.
The DC DC1 is advertising as an LDAP server
The DC DC1 is advertising as having a writeable directory
The DC DC1 is advertising as a Key Distribution Center
Warning: DC1 is not advertising as a time server.
The DS DC1 is advertising as a GC.
......................... DC1 failed test Advertisingche
The exact command run to produce this test is:
dcdiag /v /test:advertising
FSMO Check
Another error can appear within a different check in dcdiag
:
Starting test: FsmoCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
The exact command run to produce this test is: dcdiag /test:fsmocheck
Cause
The dcdiag tool detects that the time service is either not running or
is running but not announcing itself as a reliable time server.
Resolution
Try each of these solutions one step at a time, re-testing after
completing each step until the problem is resolved.
-
Ensure the Windows Time service is running. On a DC it is part of
the core AD functonality and should be runing even if synchronised
time is not essential.
net start w32time -
Restart the Windows time service
net stop w32time && net start w32time -
Check that Network problems are not stopping NTP form functioning.
Note that Windows clients do not synchronise with the DCs via NTP,
this only tests the ability for DC themselves to check an external
time source:
w32tm /stripchart /computer:time.windows.com /samples:2 /dataonlyError 0x800705B4 is a network timeout on the port — 123.
Time.winfows.com
should be replaced with the external time server
you are using for a more complete test. -
Try:
netdiag /fixNetdiag
is part of Windows Server 2003 Service Pack 1 Support
Tools. This can also be
used on Server 2008. - If you received the error message:
The service name is invalid
earlier the Windows Time service is not even registered.
Re-registering the W32time service can also fix some issues so
perform these steps anyway: Re-registering the Windows Time
Service -
Try:
w32tm /resync /redisscover -
Check that the DC has the PDC role:
netdom query fsmoIf it is run the following command:
w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update
Microsoft’s own free NTP server can be used as shown here, but I
would recommend using one in your country if not in thr US. For the
UK I can recommendntp2d.mcc.ac.uk
but there are many others. - Ensure that the DC is announcing itself correctly through changing
theAnnounceFlags
are set correctly in the
Registry. Edit the
[HKLM\SYSTEM\CurrentControlSet\Services\w32time\Config\AnnounceFlags]
key toa
(the letter a) in hexadecimal. To allow the w32time
service read the config change:
w32tm /config /update
Re-registering the Windows Time Service
w32tm /unregister
rem Ignore Access denied message if it appears and repeat
w32tm /unregister
w32tm /register
rem Before the re-register command will work you may have to reboot.
This gives a vanilla set of settings, after which the service can be
restarted:
If you receive an error message regarding SIDs then DC will need to be
rebooted again.
See Also
- [http://technet.microsoft.com/en-us/library/cc786897(WS.10).aspx
Configure the Windows Time service on the PDC emulator] - Windows Time Service Tools and
Settings - Windows Time Server —
AnnounceFlags
Category:Windows
There can be two reason for this either Sysvol/Netlogon is missing or windows time service is not started.
Quick resolution is changing time server:
Open Registry Editor (regedit.exe) and configure the following registry entries:
HKLMSYSTEMCurrentControlSetServicesW32TimeParametersType
How to configure an authoritative time server in Windows Server:
https://support.microsoft.com/en-in/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server
This happens due to underlying communication problem between the restored DC and the other DCs. This is causing your SYSVOL replication failure. Until FRS can successfully replicate at once it will hide all the SYSVOL files in the folder NtFrs_PreExisting___See_EventLog. FRS will move the files back to their original locations only when it can successfully cross-replicate with another domain controller. But until at least one such successful replication occurs, all the files in SYSVOL will remain hidden in the PreExisting folder. This means that the SYSVOL will appear to be empty and Group Policy will fail.
Since DcGetDcName is failing, it indicates a problem with name resolution. Incorrect configuration of DNS is the #1 cause of problems with Active Directory. If DNS is configured incorrectly, domain controllers will not be able to locate each other for replication.
You need to troubleshoot DNS. On GC inspect file C:WindowsSystem32confignetlogon.dns with NOTEPAD.EXE. Make sure that all of the A and SRV records listed therein exist on in DNS and can be queried from the misbehaving DC. The SRV records identify the name of the GC and the A records map the name to an IP address.
Use DNSLINT to diagnose DNS errors. https://support.microsoft.com/en-us/help/321045/description-of-the-dnslint-utility
Type the command
dnslint /ad 127.0.0.1 /s 11.22.33.44 /v
Where 11.22.33.44 is the IP address of the DNS server. Run nslookup and verify that it connects to the same DNS server. Check your DNS client settings to make sure it is pointing at the right one.
Check the event log for error messages for additional clues. Check all logs (Administrative, DNS, Directory Services, etc).
Source: https://www.experts-exchange.com/questions/23970181/DcGetDcName-call-failed-error-1355-after-non-auth-restore-with-burl-flag.html
Verify that this server is a global catalog, run
repadmin /options
You should see at least “Current Options: IS_GC”
Verify that your old DC’s have been removed.
You can check that too by doing a metadata cleanup.