Re: [ActiveDir] Unable to logon after DCPromo - oddness
On 18/01/07, Bahta, Nathaniel V CTR USAF NASIC/SCNA <[EMAIL PROTECTED]> wrote: You can run dcdiag on the enterprise which will gather data from every server. Try doing that and collecting data on the issue. Also, do the objects exist in Sites and Services for the server to replicate among its peers? Thanks to all for the many suggestions. I hadn't realised that things like dcdiag didn't need to be run on the affected DC. Sadly, it's too late now, as the DC has gone to that big server-room in the sky (or rather, Windows has been re-installed). I checked the unattend file that was used to run dcpromo and found it was being run by a VBS, with 'On Error Resume Next'. Running the dcpromo on other servers since then has worked fine, and now the decision's been made to run dcpromo manually for this batch of 50 servers. Oh well, it'll have to remain one of life's unsolved mysteries. -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Unable to logon after DCPromo - oddness
You can run dcdiag on the enterprise which will gather data from every server. Try doing that and collecting data on the issue. Also, do the objects exist in Sites and Services for the server to replicate among its peers? Try checking out some of that stuff, Nate -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin Wilhelm Sent: Wednesday, January 17, 2007 4:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unable to logon after DCPromo - oddness Hi Adam, I used to have similar problems after DCpromo - can you verify that the in the server properties (AD user and Computers) the flag is set to trust this computer? At least this was reason missing for my servers after checking the box it was working fine (btw. I found later out that the admin before me changed permissions for the Enterprise Admin account which resulted in these problems) Hope that helps. Cheers, Kat MCSA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Thursday, 18 January 2007 12:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unable to logon after DCPromo - oddness Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Unable to logon after DCPromo - oddness
Hi Adam, I used to have similar problems after DCpromo - can you verify that the in the server properties (AD user and Computers) the flag is set to trust this computer? At least this was reason missing for my servers after checking the box it was working fine (btw. I found later out that the admin before me changed permissions for the Enterprise Admin account which resulted in these problems) Hope that helps. Cheers, Kat MCSA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Thursday, 18 January 2007 12:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unable to logon after DCPromo - oddness Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Unable to logon after DCPromo - oddness
If you can view the event logs remotely, then you should be able to run DCDIAG remotely as well as REPADMIN. DCDIAG /S:remoteDCname REPADMIN /showrepl remoteDCname Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 17, 2007 7:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Unable to logon after DCPromo - oddness On 17/01/07, Holt, Will <[EMAIL PROTECTED]> wrote: > Adam, > > "SRV records are missing" > > Question: Has the server actually got write rights to the relevant DNS > Zones? Yes, it certainly has > > Have you got the flag set on the DNS settings on the net adapter "register > in DNS"? > Check > Can you rcmd or go over an RSB\RIB Board > Have you actually tried running: dcdiag /test:RegisterInDNS /DnsDomain:XXX Haven't tried rcmd, but was unable to use PsExec. The server's being rebuilt at the moment, so hopefully I won't get the chance to find out. > Regards > > Will > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of AdamT > Sent: Mittwoch, 17. Januar 2007 14:07 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Unable to logon after DCPromo - oddness > > Dear collective, > > I'm hoping somebody can help out with a little problem I've got here. > I've got a Windows 2003 R2 Server, which I've joined to a domain, and > dcpromo'd. > > After the dcpromo and subsequent reboot, I can't logon to the server, either > 'interactively' or via RDP, or using PsExec. I can access file shares, like > c$, and I can point MMC snap-ins to the computer without problems. > > The fact that the server is now a DC seems to have replicated around just > fine (all DCs show that the server is now in the Domain Controllers OU), but > all the SRV records are missing. > > The system log is full of Netlogon 5774 events, suggesting I run dcdiag, > which is a nice suggestion, but I can't log on to the server to do it. > > Another (healthy) DC's directory service logs shows plenty of event 1699s, > complaining: > > The local domain controller failed to retrieve the changes requested for the > following directory partition. As a result, it was unable to send the change > requests to the domain controller at the following network address. > > Directory partition: > CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk > Network address: > a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk > Extended request code: > 2 > > Additional Data > Error value: > 8453 Replication access was denied. > > > Has something gone horribly wrong here, or am I overlooking something simple > that I'm going to kick myself about later? > > Any ideas appreciated, > -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Unable to logon after DCPromo - oddness
On 17/01/07, Holt, Will <[EMAIL PROTECTED]> wrote: Adam, "SRV records are missing" Question: Has the server actually got write rights to the relevant DNS Zones? Yes, it certainly has Have you got the flag set on the DNS settings on the net adapter "register in DNS"? Check Can you rcmd or go over an RSB\RIB Board Have you actually tried running: dcdiag /test:RegisterInDNS /DnsDomain:XXX Haven't tried rcmd, but was unable to use PsExec. The server's being rebuilt at the moment, so hopefully I won't get the chance to find out. Regards Will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Mittwoch, 17. Januar 2007 14:07 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unable to logon after DCPromo - oddness Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Unable to logon after DCPromo - oddness
Adam, "SRV records are missing" Question: Has the server actually got write rights to the relevant DNS Zones? Have you got the flag set on the DNS settings on the net adapter "register in DNS"? Can you rcmd or go over an RSB\RIB Board Have you actually tried running: dcdiag /test:RegisterInDNS /DnsDomain:XXX Regards Will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Mittwoch, 17. Januar 2007 14:07 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unable to logon after DCPromo - oddness Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Unable to logon after DCPromo - oddness
Since you can get to C$ can you get the dcpromo*.log files which may help determine what is going on. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 17, 2007 7:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unable to logon after DCPromo - oddness Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
