locked
How to remove the first Domain Controller from Active Directory RRS feed

  • 問題

  •  

    I used to have windows 2000 domain controller. I could successfully join my 2003 server to the windows 2000 domain. Recently, my windows 2000 domain controller died and my 2003 DC keeps producing the following error, whose event ID is 5719 ith NetLogon error:

     

    這台電腦無法在網域 SKOFFICE 上的網域控制站設定安全工作階段,因為下列 原因:

    目前無可用的登入伺服器來服務登入請求。 

    這樣可能會導致驗證問題。請確定這台電腦是否已連線到網路。如果問題持續發生,請連絡您的網域系統管理員。 

     

    其他資訊

    如果這台電腦是指定網域的網域控制站,它會將安全工作階段設定到指定網域上的網域主控站模擬器。否則,這台電腦會將安全工作階 段設定到指定網域上的任何網域控制站。

     

    請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心,以取得其他資訊。

    這台電腦無法在網域 SKOFFICE 上的網域控制站設定安全工作階段,因為下列 原因:

    目前無可用的登入伺服器來服務登入請求。 

    這樣可能會導致驗證問題。請確定這台電腦是否已連線到網路。如果問題持續發生,請連絡您的網域系統管理員。 

     

    其他資訊

    如果這台電腦是指定網域的網域控制站,它會將安全工作階段設定到指定網域上的網域主控站模擬器。否則,這台電腦會將安全工作階 段設定到指定網域上的任何網域控制站。

     

    請在 http://go.microsoft.com/fwlink/events.asp 查看說明及支援中心,以取得其他資訊。

     

    Please see if you can help
    2008年8月1日 上午 09:17

解答

  • Dear Customer,

     

    Thanks for your post.

     

    From your post, I understand your problem is: You have 5719 error in your DC indicating there are no DCs available for domain FP_WINNT.

     

    Generally, this problem can be caused by many factors. We may need some time to perform the steps to narrow down the issue and find the resolution due to the complexity on technical side. I appreciate your understanding and cooperation in advance. For the current situation, I suggest you try the following general troubleshooting steps:

     

    Step1. Ensure no invalid trust remains.

    =======================

    The problem can occur if you have established trust with domain FP_WINNT, but FP_WINNT is unavailable now. In that case, we have to move the stale trust from the current domain.

    1. From the problematic DC,

    2. Start Button -> Programs -> Administrative tools -> Active Directory Domains and Trust

    3. Right click on the domain name -> Select properties -> Click on the Trust Tab.

    4. Select and remove the domain that is no longer there.

     

    Step2: buffer space in the NetBT datagram

    =======================

    The problem can also be caused by running out of buffer space in the NetBT datagram buffer. To resolve this problem, increase the MaxDgramBuffering value from 128 KB to 256 KB:

    1. Start Registry Editor (Regedt32.exe). 

    2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters 

    3. On the Edit menu, click Add Value , and then add the following information:

    Value Name: MaxDgramBuffering

    Data Type: REG_DWORD

    Value: 0x40000 

    4. Quit Registry Editor. 

    5. Restart the Netlogon service (you may have to restart the computer). 

     

    310339            PRB: Netlogon Logs Event ID 5719 on a Domain Controller

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;310339

     

    Step3: Force Kerberos to use TCP instead of UDP.

    =======================

    Another blameful factor is A limitation on the UDP packet size. You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:

    1. Start Registry Editor. 

    2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    Note If the Parameters key does not exist, create it now. 

    3. On the Edit menu, point to New, and then click DWORD Value. 

    4. Type MaxPacketSize , and then press ENTER. 

    5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK. 

    6. Quit Registry Editor. 

    7. Restart your computer. 

    244474            How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474

     

    Hope the above information helps.  If anything is unclear or you have any concerns, please feel free to post back.  I am glad to be of assistance.

     

    Sincerely,


    Tom Zhang

    2008年8月4日 上午 05:56
    版主

所有回覆

  • Dear Customer,

     

    Thanks for your post.

     

    From your post, I understand your problem is: You have 5719 error in your DC indicating there are no DCs available for domain FP_WINNT.

     

    Generally, this problem can be caused by many factors. We may need some time to perform the steps to narrow down the issue and find the resolution due to the complexity on technical side. I appreciate your understanding and cooperation in advance. For the current situation, I suggest you try the following general troubleshooting steps:

     

    Step1. Ensure no invalid trust remains.

    =======================

    The problem can occur if you have established trust with domain FP_WINNT, but FP_WINNT is unavailable now. In that case, we have to move the stale trust from the current domain.

    1. From the problematic DC,

    2. Start Button -> Programs -> Administrative tools -> Active Directory Domains and Trust

    3. Right click on the domain name -> Select properties -> Click on the Trust Tab.

    4. Select and remove the domain that is no longer there.

     

    Step2: buffer space in the NetBT datagram

    =======================

    The problem can also be caused by running out of buffer space in the NetBT datagram buffer. To resolve this problem, increase the MaxDgramBuffering value from 128 KB to 256 KB:

    1. Start Registry Editor (Regedt32.exe). 

    2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters 

    3. On the Edit menu, click Add Value , and then add the following information:

    Value Name: MaxDgramBuffering

    Data Type: REG_DWORD

    Value: 0x40000 

    4. Quit Registry Editor. 

    5. Restart the Netlogon service (you may have to restart the computer). 

     

    310339            PRB: Netlogon Logs Event ID 5719 on a Domain Controller

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;310339

     

    Step3: Force Kerberos to use TCP instead of UDP.

    =======================

    Another blameful factor is A limitation on the UDP packet size. You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:

    1. Start Registry Editor. 

    2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

    Note If the Parameters key does not exist, create it now. 

    3. On the Edit menu, point to New, and then click DWORD Value. 

    4. Type MaxPacketSize , and then press ENTER. 

    5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK. 

    6. Quit Registry Editor. 

    7. Restart your computer. 

    244474            How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474

     

    Hope the above information helps.  If anything is unclear or you have any concerns, please feel free to post back.  I am glad to be of assistance.

     

    Sincerely,


    Tom Zhang

    2008年8月4日 上午 05:56
    版主
  • Dear Customer,

     

    I just wanted to say hi, and to see how things are going. I haven't heard back from you yet and I was wondering if there are any updates on the service request.

     

    Thanks.

     

    Sincerely,
    Tom Zhang


    2008年8月7日 上午 05:52
    版主