Server 2003 sp3 error - Domain controller cannot be found ?

Sponsored Links

Hello,

We have two 2003 servers running, both DC's for the same domain, with
active directory replicated between them for redundancy. Everything
worked fine during initial testing, but after mistakenly setting up a
trust between the two servers (its not needed, right?), I was unable to
access any shares on the second server (not the Global Catalogue
server), even from itself!
When I try to access the shares, I receive an error : .... Access is
denied or the domain controller cannot be located!

I tried to remove the trusts, but I then get an error - : the directory
is busy...

I can ping server2.mydomain ok, and it seems as if active directory
objects are still replicating to it, but I may be mistaken. I've tried
creating new shares with liberal permissions but alas, same error!

I was considering demoting the second machine, but it is running
exchange and I am concerned that this may affect it.

Help?!?

Thanks

Max

Mmaxx wrote:
> Hello,
>
> We have two 2003 servers running, both DC's for the same domain, with
> active directory replicated between them for redundancy. Everything
> worked fine during initial testing, but after mistakenly setting up a
> trust between the two servers (its not needed, right?), I was unable to
> access any shares on the second server (not the Global Catalogue
> server), even from itself!
> When I try to access the shares, I receive an error : .... Access is
> denied or the domain controller cannot be located!
>
> I tried to remove the trusts, but I then get an error - : the directory
> is busy...
>
> I can ping server2.mydomain ok, and it seems as if active directory
> objects are still replicating to it, but I may be mistaken. I've tried
> creating new shares with liberal permissions but alas, same error!
>
> I was considering demoting the second machine, but it is running
> exchange and I am concerned that this may affect it.
>
> Help?!?
>
> Thanks
>
> Max

I don't have a solution, but definitely DO NOT DEMOTE the second DC...
at least not yet. Exchange will have problems.....

When you get it resolved, you really should get Exchange off of a DC.
it's not a good idea.

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services

Hank Arnold (MVP) wrote:
> I don't have a solution, but definitely DO NOT DEMOTE the second DC...
> at least not yet. Exchange will have problems.....
>
> When you get it resolved, you really should get Exchange off of a DC.
> it's not a good idea.
The second DC is primarily for running exchange, and to offer some
failover if the primary crashes(which it just did a few days back..),
I've looked at some of the arguments against exchange on Dc and it looks
like this is an acceptable risk for now.

I've subsequently noticed that if I use the IP address of the second dc
I can access the shares perfectly! I checked DNS on both machines and it
seems ok, I found duplicate names for the one machine but have deleted
it. The problem still persists if I use the name of the server to access it.

I think it has some thing to do with the faulty oneway outgoing trust.
But I am unable to delete this - Error:: The directory is busy

Is there a way to manually force a deletion of the trust?

Max

Mmaxx wrote:
> Hank Arnold (MVP) wrote:
> > I don't have a solution, but definitely DO NOT DEMOTE the second DC...
>> at least not yet. Exchange will have problems.....
>>
>> When you get it resolved, you really should get Exchange off of a DC.
>> it's not a good idea.
> The second DC is primarily for running exchange, and to offer some
> failover if the primary crashes(which it just did a few days back..),
> I've looked at some of the arguments against exchange on Dc and it looks
> like this is an acceptable risk for now.
>
> I've subsequently noticed that if I use the IP address of the second dc
> I can access the shares perfectly! I checked DNS on both machines and it
> seems ok, I found duplicate names for the one machine but have deleted
> it. The problem still persists if I use the name of the server to access
> it.

All that means is that the network is working just fine. You can screw
up SMB signing in group policy and prevent member servers from accessing
group policies through the sysvol share which is access by the domain
name. However if you would try to access the same share using the IP of
the domain then it works just fine. Again, it just means that the
network is okay but there is still something messed up in ADS.

I can't help with your specific problem though unfortunately. I just
wanted to let you know that being able to do stuff through the IP is
meaningless since ADS does stuff through names for one thing, and even
when DNS is working, it doesn't mean your problem should be non-existent.

You *could* try resetting the machine passwords for the DCs if you can
find any hint that they do not trust each other (not meaning an explicit
trust though). That would reset their machine accounts. Doing that for a
DC though is riskier than for a member server and I wouldn't do it
unless it is a last resort and you have some way of knowing that it
might be worth it.

>
> I think it has some thing to do with the faulty oneway outgoing trust.
> But I am unable to delete this - Error:: The directory is busy
>
> Is there a way to manually force a deletion of the trust?
>
> Max

Hello Mmaxx,

Please tell about more about the crash and how did you resolve it? Think
your problems comes from that.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hank Arnold (MVP) wrote:
>
>> I don't have a solution, but definitely DO NOT DEMOTE the second
>> DC... at least not yet. Exchange will have problems.....
>>
>> When you get it resolved, you really should get Exchange off of a DC.
>> it's not a good idea.
>>
> The second DC is primarily for running exchange, and to offer some
> failover if the primary crashes(which it just did a few days back..),
> I've looked at some of the arguments against exchange on Dc and it
> looks like this is an acceptable risk for now.
>
> I've subsequently noticed that if I use the IP address of the second
> dc I can access the shares perfectly! I checked DNS on both machines
> and it seems ok, I found duplicate names for the one machine but have
> deleted it. The problem still persists if I use the name of the server
> to access it.
>
> I think it has some thing to do with the faulty oneway outgoing trust.
> But I am unable to delete this - Error:: The directory is busy
>
> Is there a way to manually force a deletion of the trust?
>
> Max
>

Meinolf Weber wrote:
> Hello Mmaxx,
>
> Please tell about more about the crash and how did you resolve it? Think
> your problems comes from that.
It was a windows 2000 dc that crashed, the current dc was a member of
that domain. Due to a silly partitioning scheme i think, we could not
restore the old system state successfully(inaccesable boot device), so
to save time, we promoted the existing 2003 server to a domain
controller (in effect recreating the domain) and brought another 2003 dc
online to run the exchange. All was well until I erroneously messed with
the trusts, it was 4am and it seemed like a Good Thing (tm) at that
time, alas, it was not :-(

I found some info on MS about it, I essentially used the secondary's
FQDN to create the trust, which resulted in an outgoing trust for the
with the name of the secondDC as the domain. In effect then as per the
description in the faulty trust properties :

Outgoing: Users in the specified domain (mydomain.local) can
authenticate in the local domain(secondDCserver), but users in the local
domain(mydomain.local) cannot authenticate in the specified
domain(secondDCserver).

This is exactly the problem I am getting. I can access any resources on
primaryDCServer but not on secondDCserver.

It seems my inability to delete the trust has something to do with the
AD timing out as there are too many items to delete.....

Max

Run diagnostics against your Active Directory domain.

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for dnslint
http://support.microsoft.com/kb/321045


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Mmaxx" <mmaxx@webmail.co.za> wrote in message
news:FvidnZmjGqAHie3VnZ2dnUVZ8sninZ2d@saix.net...
> Hello,
>
> We have two 2003 servers running, both DC's for the same domain, with
> active directory replicated between them for redundancy. Everything worked
> fine during initial testing, but after mistakenly setting up a trust
> between the two servers (its not needed, right?), I was unable to access
> any shares on the second server (not the Global Catalogue server), even
> from itself!
> When I try to access the shares, I receive an error : .... Access is
> denied or the domain controller cannot be located!
>
> I tried to remove the trusts, but I then get an error - : the directory is
> busy...
>
> I can ping server2.mydomain ok, and it seems as if active directory
> objects are still replicating to it, but I may be mistaken. I've tried
> creating new shares with liberal permissions but alas, same error!
>
> I was considering demoting the second machine, but it is running exchange
> and I am concerned that this may affect it.
>
> Help?!?
>
> Thanks
>
> Max

Hello Mmaxx,

If i understand you correct the crashed DC was the only one before? And you
just built a new domain? Did you also add the rest of your domain machines
to the new domain? Please give some more infos about this. Even if you give
a new DC the same domain name it will be a DIFFERENT ONE from the old one
with a new Domain identifier.

Was the crached DC FSMO holder? Make sure that all 5 FSMO roles exists on
one off the running DC's. In a command window type "netdom query fsmo" without
the quotes, to make sure that you have all of them.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Meinolf Weber wrote:
>
>> Hello Mmaxx,
>>
>> Please tell about more about the crash and how did you resolve it?
>> Think your problems comes from that.
>>
> It was a windows 2000 dc that crashed, the current dc was a member of
> that domain. Due to a silly partitioning scheme i think, we could not
> restore the old system state successfully(inaccesable boot device), so
> to save time, we promoted the existing 2003 server to a domain
> controller (in effect recreating the domain) and brought another 2003
> dc online to run the exchange. All was well until I erroneously messed
> with the trusts, it was 4am and it seemed like a Good Thing (tm) at
> that time, alas, it was not :-(
>
> I found some info on MS about it, I essentially used the secondary's
> FQDN to create the trust, which resulted in an outgoing trust for the
> with the name of the secondDC as the domain. In effect then as per the
> description in the faulty trust properties :
>
> Outgoing: Users in the specified domain (mydomain.local) can
> authenticate in the local domain(secondDCserver), but users in the
> local domain(mydomain.local) cannot authenticate in the specified
> domain(secondDCserver).
>
> This is exactly the problem I am getting. I can access any resources
> on primaryDCServer but not on secondDCserver.
>
> It seems my inability to delete the trust has something to do with the
> AD timing out as there are too many items to delete.....
>
> Max
>

Hah! the plot thickens! Thanks Paul, I already had the support tools
installed but forgot all about them.
All the tests pass except for two in DCdiag

Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share!
(\\seconddcserver\netlogon)
[dcserver] An net use or LsaPolicy operation failed with
error 1203, No network provider accepted the given network path..
......................... dcserver failed test NetLogons

And:

Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0xC0002719
Time Generated: 07/07/2008 16:34:57
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 07/07/2008 16:35:44
(Event String could not be retrieved)
......................... dcserver failed test systemlog

I'm still working on the systemlog failure but the only results i find
for netlogon at MS leads to a dead end :

http://support.microsoft.com/kb/940684/en-us

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products
that are listed in the "Applies to" section.

Will revert with more info if it helps....

Max

Check the File Replication Service Event Log and see if you can find an
event #'d 13553. This should tell you sysvol is now being successfully
shared.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Mmaxx" <mmaxx@webmail.co.za> wrote in message
news:DuKdnXXHBuG5oO_VnZ2dnUVZ8qXinZ2d@saix.net...
>
> Hah! the plot thickens! Thanks Paul, I already had the support tools
> installed but forgot all about them.
> All the tests pass except for two in DCdiag
>
> Starting test: NetLogons
> * Network Logons Privileges Check
> Unable to connect to the NETLOGON share!
> (\\seconddcserver\netlogon)
> [dcserver] An net use or LsaPolicy operation failed with error
> 1203, No network provider accepted the given network path..
> ......................... dcserver failed test NetLogons
>
> And:
>
> Starting test: systemlog
> * The System Event log test
> An Error Event occured. EventID: 0xC0002719
> Time Generated: 07/07/2008 16:34:57
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0002719
> Time Generated: 07/07/2008 16:35:44
> (Event String could not be retrieved)
> ......................... dcserver failed test systemlog
>
> I'm still working on the systemlog failure but the only results i find for
> netlogon at MS leads to a dead end :
>
> http://support.microsoft.com/kb/940684/en-us
>
> STATUS
> Microsoft has confirmed that this is a problem in the Microsoft products
> that are listed in the "Applies to" section.
>
> Will revert with more info if it helps....
>
> Max

In news:DuKdnXXHBuG5oO_VnZ2dnUVZ8qXinZ2d@saix.net,
Mmaxx <mmaxx@webmail.co.za> typed:
> Hah! the plot thickens! Thanks Paul, I already had the support tools
> installed but forgot all about them.
> All the tests pass except for two in DCdiag
>
> Starting test: NetLogons
> * Network Logons Privileges Check
> Unable to connect to the NETLOGON share!
> (\\seconddcserver\netlogon)
> [dcserver] An net use or LsaPolicy operation failed with
> error 1203, No network provider accepted the given network path..
> ......................... dcserver failed test NetLogons
>
> And:
>
> Starting test: systemlog
> * The System Event log test
> An Error Event occured. EventID: 0xC0002719
> Time Generated: 07/07/2008 16:34:57
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0002719
> Time Generated: 07/07/2008 16:35:44
> (Event String could not be retrieved)
> ......................... dcserver failed test systemlog
<snipped>

Maxx,

Can you do us a favor and post an unedited ipconfig /all from both DCs?
Thanks - this will help eliminate any DNS and other mis-configuration if
present. DNS misconfigs can cause numerous issues. If you built this domain
up from scratch with two DCs, it should be purring like a finely tuned race
car. Depending on whatever else occured, and taking in to account other
things can cause issues such as single label domain names, multihomed DCs,
we can at least start with the ipconfigs and work from there.

Also, I saw your other post too about trusts. By default the DCs trust each
other but that won't show up in Trusts because it's only one domain. Were
you trying to create a trust between the two DCs? If so, delete the entry
please.

Thanks.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

Meinolf Weber wrote:
> Hello Mmaxx,
>
> If i understand you correct the crashed DC was the only one before?
YEs, there were other member servers, but they were not AD enabled.

> And
> you just built a new domain?
IT was quicker than trying to get the system state backups working,
which we tried for a whole day....
> Did you also add the rest of your domain
> machines to the new domain?
Yes we then rejoined all the machines, re added the users etc.

> Was the crached DC FSMO holder? Make sure that all 5 FSMO roles exists
> on one off the running DC's. In a command window type "netdom query
> fsmo" without the quotes, to make sure that you have all of them.
All the FSMO roles are held by the new DC, it is the new backup DC thats
giving problems....


Max

Ace Fekay [MVP] wrote:

> Also, I saw your other post too about trusts. By default the DCs trust each
> other but that won't show up in Trusts because it's only one domain. Were
> you trying to create a trust between the two DCs? If so, delete the entry
> please.
This is the problem i am sitting with, I realised later that I did not
require the trusts and proceeded to delete them. The incoming one was
deleted ok, but when I try to delete the outgoing trust I get : the
Directory is busy, twice, then the trust just stays there

I cant seem to delete the trust, looks like it will require editing the
AD manually....

Max

Hello Mmaxx,

Please post an unedited ipconfig /all from both DC's.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Meinolf Weber wrote:
>
>> Hello Mmaxx,
>>
>> If i understand you correct the crashed DC was the only one before?
>>
> YEs, there were other member servers, but they were not AD enabled.
>
>> And you just built a new domain?
>>
> IT was quicker than trying to get the system state backups working,
> which we tried for a whole day....
>
>> Did you also add the rest of your domain machines to the new domain?
>>
> Yes we then rejoined all the machines, re added the users etc.
>
>> Was the crached DC FSMO holder? Make sure that all 5 FSMO roles
>> exists on one off the running DC's. In a command window type "netdom
>> query fsmo" without the quotes, to make sure that you have all of
>> them.
>>
> All the FSMO roles are held by the new DC, it is the new backup DC
> thats giving problems....
>
> Max
>

Meinolf Weber wrote:
> Hello Mmaxx,
>
> Please post an unedited ipconfig /all from both DC's.

Had 2 change the domain names to protect the innocent......

Primary Domain Cont. Global Cat. :

Windows IP Configuration

Host Name . . . . . . . . . . . . : dcserver1
Primary Dns Suffix . . . . . . . : internal.mydomain.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : internal.mydomain.com
mydomain.com
com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-11-09-2B-04-9C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.160.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.160.11
DNS Servers . . . . . . . . . . . : 192.168.160.5
192.168.160.2
NetBIOS over Tcpip. . . . . . . . : Disabled

Backup DC, Exchange :

Windows IP Configuration

Host Name . . . . . . . . . . . . : dcserver
Primary Dns Suffix . . . . . . . : internal.mydomain.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : internal.mydomain.com
mydomain.com
com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
Ethernet
NIC #2
Physical Address. . . . . . . . . : 00-13-D3-FD-02-3E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.160.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.160.11
DNS Servers . . . . . . . . . . . : 192.168.160.2
192.168.160.5
NetBIOS over Tcpip. . . . . . . . : Disabled

Leme know if you need more info