로그인
Microsoft.com
 
Microsoft
 
 
 

locked
Promote domain controller fails RRS feed

 > 

  • 질문

  • Question
    로그인하여 투표
    0
    로그인하여 투표

    I am migrating my office to ADDS. I set up two domain controllers, I wanted to change the server name on one of them. I believe all replication was done and I would be able to demote it, change the name, and bring it back but I obviously missed a step or two. When I ran DCPROMO to bring it back it failed. The error message is:

    "ADDS could not create the NTDS Settings object for the ADDC"

    "While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync."

    The working DC gives a warning: "The attempt to establish a replication link for the following writable directory partition failed. Error value: 8524 The DSA operation is unable to proceed because of a DNS lookup failure."

    The servers can ping each other by IP and by FQDN. Windows finds the working DC in the DCPROMO wizard. Nslookup gives the name and IP of the server that is up and running. I have domain, schema, and enterprise admin rights. Ipconfig /registerdns doesn't give any error messages. They see each other just fine but fail on replication it seems. Both servers are recent installs of Server Standard 2008 r2 with all updates. The roles that worked before are ADDS, DNS, File Services, and Print Services. The Print Services seems to be working. Both servers worked fine before the demotion. I changed the name back to the original to see if that helped.

    Any ideas on how to fix this? Could I remove all the roles that don't work then add them back?

    2011년 9월 9일 금요일 오후 8:49

답변

  • Question
    로그인하여 투표
    0
    로그인하여 투표
    http://www.petri.co.il/rename-windows-server-2008-domain-controllers.htm
    Darshana Jayathilake
    2011년 9월 10일 토요일 오전 2:31
  • Question
    로그인하여 투표
    0
    로그인하여 투표

    The link Darshana provided shows the simple way to rename a DC.

    But since you got this far, just to add, you could have just missed putting the correct DNS address. The error " ...Error value:854 The DSA operating is unable to proceed beause of a DNS lookup failure," is can be caused by:

    • The DNS addresses in the NIC IP properties contains other DNS addresses other than only pointing to the current DC (can't use any other DNS addresses in IP properties such as an ISP's DNS, the router as a DNS address, etc)
    • The current DC is multihomed, has more than one IP and/or RRAS is installed on it.
    • All the above.

     

    Please provide an unedited ipconfig /all of the current DC and the machine you want to promote, to help us diagnose the problem, as well as to evaluate their configs for any issues.

    Also, here are a couple of tutorials. Please take note of the DNS instructions in the tutorials.

    Remove a Current Operational Domain Controller from Active Directory
    http://msmvps.com/blogs/acefekay/archive/2010/10/09/remove-a-current-operational-domain-controller-from-active-directory.aspx

    Remove an Old DC and Introduce a New DC with the Same Name and IP Address
    http://msmvps.com/blogs/acefekay/archive/2010/10/09/remove-an-old-dc-and-introduce-a-new-dc-with-the-same-name-and-ip-address.aspx

     

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    2011년 9월 10일 토요일 오전 3:27
  • Question
    로그인하여 투표
    0
    로그인하여 투표

    Hi,

     

    In summary, the 8524 replication status is logged when a destination DC is unable to resolve the source DC by its CNAME and Host "A" or Host "AAAA" records using DNS. Specific root causes include:

     

    1. The source DC is offline, or no longer exists but its NTDS Settings object still exist in the destination DCs copy of Active Directory.

    2. The source DC failed to register the CNAME or host records on one or more DNS Servers either because the registration attempts failed or DNS client settings on the source do not point to DNS Servers that either host, forwarded or delegate its _msdcs.<forest root domain zone and / or primary DNS suffix domain zones.

    3. DNS client settings on the destination DC do not point to DNS Servers that either host, forward or delegate the DNS zones containing the CNAME or host records for the source DC.

    4. CNAME and host records registered by the source DC do not exist on DNS servers queried by the destination DC due to simple replication latency, a replication failure or a zone transfer failure.

    5. Invalid forwarders or delegations are preventing the destination DC from resolving CNAME or Host records for DCs in other domains in the forest.

    6. DNS Servers used by destination DC, source DC or intermediate DNS Servers are not functioning properly.

     

    For the detailed troubleshooting steps, please refer to the following Microsoft TechNet article:

     

    Active Directory replication error 8524: The DSA operation is unable to proceed because of a DNS lookup failure

    http://technet.microsoft.com/en-us/library/active-directory-replication-error-8524(WS.10).aspx

     

    Regards,

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    2011년 9월 12일 월요일 오후 1:56
  • Question
    로그인하여 투표
    0
    로그인하여 투표

    Hi,

     

    The error message “The trust relationship between this workstation and the primary domain failed” can occur due to you restored an expired computer password.

     

     

    Based on the current situation, you may disjoin and rejoin this server to domain to check the result.

     

    In addition, you may also try to use Nltest to reset secure channel or use netdom to reset computer account.

     

    For more information, please refer to the following Microsoft KB articles:

     

    Trust Relationship Between Workstation and Domain Fails

    http://support.microsoft.com/kb/162797

     

    Domain Secure Channel Utility -- Nltest.exe

    http://support.microsoft.com/kb/158148

     

    Resetting computer accounts in Windows

    http://support.microsoft.com/kb/216393

     

    Regards,

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    2011년 9월 19일 월요일 오전 8:04

모든 응답

  • Question
    로그인하여 투표
    0
    로그인하여 투표
    did you change the name of the primary dc or add dc?.
    Darshana Jayathilake
    2011년 9월 10일 토요일 오전 2:30
  • Question
    로그인하여 투표
    0
    로그인하여 투표
    http://www.petri.co.il/rename-windows-server-2008-domain-controllers.htm
    Darshana Jayathilake
    2011년 9월 10일 토요일 오전 2:31
  • Question
    로그인하여 투표
    0
    로그인하여 투표

    The link Darshana provided shows the simple way to rename a DC.

    But since you got this far, just to add, you could have just missed putting the correct DNS address. The error " ...Error value:854 The DSA operating is unable to proceed beause of a DNS lookup failure," is can be caused by:

    • The DNS addresses in the NIC IP properties contains other DNS addresses other than only pointing to the current DC (can't use any other DNS addresses in IP properties such as an ISP's DNS, the router as a DNS address, etc)
    • The current DC is multihomed, has more than one IP and/or RRAS is installed on it.
    • All the above.

     

    Please provide an unedited ipconfig /all of the current DC and the machine you want to promote, to help us diagnose the problem, as well as to evaluate their configs for any issues.

    Also, here are a couple of tutorials. Please take note of the DNS instructions in the tutorials.

    Remove a Current Operational Domain Controller from Active Directory
    http://msmvps.com/blogs/acefekay/archive/2010/10/09/remove-a-current-operational-domain-controller-from-active-directory.aspx

    Remove an Old DC and Introduce a New DC with the Same Name and IP Address
    http://msmvps.com/blogs/acefekay/archive/2010/10/09/remove-an-old-dc-and-introduce-a-new-dc-with-the-same-name-and-ip-address.aspx

     

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    2011년 9월 10일 토요일 오전 3:27
  • Question
    로그인하여 투표
    0
    로그인하여 투표

    It sounds like it wasn't properly demoted to begin with. Is the bad DC currently joined to the domain?

    Mark Morowczynski|http://blogs.technet.com/b/markmoro
    2011년 9월 11일 일요일 오전 3:47
  • Question
    로그인하여 투표
    0
    로그인하여 투표

    Hello,

    as it seems the DC is broken let's check the domain first with the support tools:

    ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)


    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.

    If the problem one is not to fix then use metadata cleanup and after this install it new in the forest.

    http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    2011년 9월 11일 일요일 오전 9:47
  • Question
    로그인하여 투표
    0
    로그인하여 투표

    Hi,

     

    In summary, the 8524 replication status is logged when a destination DC is unable to resolve the source DC by its CNAME and Host "A" or Host "AAAA" records using DNS. Specific root causes include:

     

    1. The source DC is offline, or no longer exists but its NTDS Settings object still exist in the destination DCs copy of Active Directory.

    2. The source DC failed to register the CNAME or host records on one or more DNS Servers either because the registration attempts failed or DNS client settings on the source do not point to DNS Servers that either host, forwarded or delegate its _msdcs.<forest root domain zone and / or primary DNS suffix domain zones.

    3. DNS client settings on the destination DC do not point to DNS Servers that either host, forward or delegate the DNS zones containing the CNAME or host records for the source DC.

    4. CNAME and host records registered by the source DC do not exist on DNS servers queried by the destination DC due to simple replication latency, a replication failure or a zone transfer failure.

    5. Invalid forwarders or delegations are preventing the destination DC from resolving CNAME or Host records for DCs in other domains in the forest.

    6. DNS Servers used by destination DC, source DC or intermediate DNS Servers are not functioning properly.

     

    For the detailed troubleshooting steps, please refer to the following Microsoft TechNet article:

     

    Active Directory replication error 8524: The DSA operation is unable to proceed because of a DNS lookup failure

    http://technet.microsoft.com/en-us/library/active-directory-replication-error-8524(WS.10).aspx

     

    Regards,

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    2011년 9월 12일 월요일 오후 1:56
  • Question
    로그인하여 투표
    0
    로그인하여 투표

    Thanks for the replies, it's a lot of info and I've been testing things out today. A lot of the replies were about how to promote/demote correctly and I'll make sure to go through the tutorials next time I plan on demoting something but for right now I'm more concerned about getting it back up and running.

    I changed the NIC DNS servers to only have the other DC and not the router as one post said.

    I removed and added the ADDS role but get the same error as before.

    I started to make a support file but got stuck on dnslint /ad /s. It is not being recognized as a legit command. I downloaded the support file from MS and ran it but still couldn't get it to work. So I paused on that and decided to try to restore the system state first.

    -------------------

    I tried restoring the system state and now at log in it says "The trust relationship between this workstation and the primary domain failed." Any ideas?


    2011년 9월 12일 월요일 오후 11:23
  • Question
    로그인하여 투표
    0
    로그인하여 투표

    Hi,

     

    The error message “The trust relationship between this workstation and the primary domain failed” can occur due to you restored an expired computer password.

     

     

    Based on the current situation, you may disjoin and rejoin this server to domain to check the result.

     

    In addition, you may also try to use Nltest to reset secure channel or use netdom to reset computer account.

     

    For more information, please refer to the following Microsoft KB articles:

     

    Trust Relationship Between Workstation and Domain Fails

    http://support.microsoft.com/kb/162797

     

    Domain Secure Channel Utility -- Nltest.exe

    http://support.microsoft.com/kb/158148

     

    Resetting computer accounts in Windows

    http://support.microsoft.com/kb/216393

     

    Regards,

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    2011년 9월 19일 월요일 오전 8:04
  • Question
    로그인하여 투표
    0
    로그인하여 투표

    Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    Xiuxiu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    2020년 1월 2일 목요일 오전 9:35