SailingNut Posted May 4, 2011 Author Posted May 4, 2011 I followed the steps in http://support.microsoft.com/kb/816587/en-us and my DC is configured as it should be. All of the SRV entries listed in the KB point to big-rig.wtbhome.net Quote
ICTCity Posted May 4, 2011 Posted May 4, 2011 So it's time to rename... If you can't do this "normally" try in safe mode. Good luck Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
SailingNut Posted May 16, 2011 Author Posted May 16, 2011 So I FINALLY had time to do the demote - rename - promote process you suggested. It appears to have worked. I recreated my domain user accounts and things look good. I do see some errors in dcdiag still, but not sure if they may be expected given my setup. Here's the output: Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = big-rig * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\BIG-RIG Starting test: Connectivity ......................... BIG-RIG passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\BIG-RIG Starting test: Advertising ......................... BIG-RIG passed test Advertising Starting test: FrsEvent ......................... BIG-RIG passed test FrsEvent Starting test: DFSREvent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. ......................... BIG-RIG failed test DFSREvent Starting test: SysVolCheck ......................... BIG-RIG passed test SysVolCheck Starting test: KccEvent ......................... BIG-RIG passed test KccEvent Starting test: KnowsOfRoleHolders ......................... BIG-RIG passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... BIG-RIG passed test MachineAccount Starting test: NCSecDesc ......................... BIG-RIG passed test NCSecDesc Starting test: NetLogons ......................... BIG-RIG passed test NetLogons Starting test: ObjectsReplicated ......................... BIG-RIG passed test ObjectsReplicated Starting test: Replications ......................... BIG-RIG passed test Replications Starting test: RidManager ......................... BIG-RIG passed test RidManager Starting test: Services ......................... BIG-RIG passed test Services Starting test: SystemLog An error event occurred. EventID: 0x0000040B Time Generated: 05/15/2011 20:30:39 Event String: The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data. An error event occurred. EventID: 0x0000040C Time Generated: 05/15/2011 20:30:39 Event String: The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer. The error code is in the data. An error event occurred. EventID: 0xC0001B61 Time Generated: 05/15/2011 20:30:43 Event String: A timeout was reached (30000 milliseconds) while waiting for the File Replication Service service to connect. A warning event occurred. EventID: 0x00002724 Time Generated: 05/15/2011 20:30:46 Event String: This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses. A warning event occurred. EventID: 0x800009CA Time Generated: 05/15/2011 20:30:47 Event String: The value named BIG-RIG in the server's registry key OptionalNames was not valid, and was ignored. If you want to change the value, change it to one that is the correct type and is within the acceptable range, or delete the value to use the default. This value might have been set up by an older program that did not use the correct boundaries. A warning event occurred. EventID: 0x800009CA Time Generated: 05/15/2011 20:30:50 Event String: The value named BIG-RIG in the server's registry key OptionalNames was not valid, and was ignored. If you want to change the value, change it to one that is the correct type and is within the acceptable range, or delete the value to use the default. This value might have been set up by an older program that did not use the correct boundaries. An error event occurred. EventID: 0x0000002E Time Generated: 05/15/2011 20:44:05 Event String: The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started. An error event occurred. EventID: 0xC0001B6F Time Generated: 05/15/2011 20:44:05 Event String: The Windows Time service terminated with the following error: An error event occurred. EventID: 0x0000002E Time Generated: 05/15/2011 20:44:28 Event String: The time service encountered an error and was forced to shut down. The error was: 0x80070005: Access is denied. An error event occurred. EventID: 0xC0001B6F Time Generated: 05/15/2011 20:44:28 Event String: The Windows Time service terminated with the following error: A warning event occurred. EventID: 0x8000001D Time Generated: 05/15/2011 20:46:52 Event String: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. A warning event occurred. EventID: 0x800009CA Time Generated: 05/15/2011 20:47:00 Event String: The value named BIG-RIG in the server's registry key OptionalNames was not valid, and was ignored. If you want to change the value, change it to one that is the correct type and is within the acceptable range, or delete the value to use the default. This value might have been set up by an older program that did not use the correct boundaries. A warning event occurred. EventID: 0x800009CA Time Generated: 05/15/2011 20:47:03 Event String: The value named BIG-RIG in the server's registry key OptionalNames was not valid, and was ignored. If you want to change the value, change it to one that is the correct type and is within the acceptable range, or delete the value to use the default. This value might have been set up by an older program that did not use the correct boundaries. An error event occurred. EventID: 0x0000040B Time Generated: 05/15/2011 20:47:15 Event String: The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data. An error event occurred. EventID: 0x0000040C Time Generated: 05/15/2011 20:47:15 Event String: The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer. The error code is in the data. A warning event occurred. EventID: 0x000003F6 Time Generated: 05/15/2011 20:47:28 Event String: Name resolution for the name _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.WTBHOME.NET timed out after none of the configured DNS servers responded. A warning event occurred. EventID: 0x00002724 Time Generated: 05/15/2011 20:47:34 Event String: This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses. An error event occurred. EventID: 0xC00038D6 Time Generated: 05/15/2011 20:47:38 Event String: The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data. A warning event occurred. EventID: 0x0000000C Time Generated: 05/15/2011 20:47:37 Event String: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient. An error event occurred. EventID: 0x00000423 Time Generated: 05/15/2011 20:47:43 Event String: The DHCP service failed to see a directory server for authorization. An error event occurred. EventID: 0x00000423 Time Generated: 05/15/2011 20:47:43 Event String: The DHCP service failed to see a directory server for authorization. A warning event occurred. EventID: 0x0000A001 Time Generated: 05/15/2011 20:47:43 Event String: The Security System could not establish a secured connection with the server ldap/wtbhome.net/wtbhome.net@WTBHOME.NET. No authentication protocol was available. An error event occurred. EventID: 0xC00038D6 Time Generated: 05/15/2011 20:47:53 Event String: The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data. A warning event occurred. EventID: 0x000727AA Time Generated: 05/15/2011 20:50:04 Event String: The WinRM service failed to create the following SPNs: WSMAN/big-rig.wtbhome.net WSMAN/big-rig. An error event occurred. EventID: 0x0000165B Time Generated: 05/15/2011 21:13:30 Event String: The session setup from computer 'CHGSINLATTITUDE' failed because the security database does not contain a trust account 'CHGSINLATTITUDE$' referenced by the specified computer. An error event occurred. EventID: 0x000016AD Time Generated: 05/15/2011 21:15:52 Event String: The session setup from the computer CHGSINLATTITUDE failed to authenticate. The following error occurred: An error event occurred. EventID: 0x0000165B Time Generated: 05/15/2011 21:15:52 Event String: The session setup from computer 'MISSMAGIC' failed because the security database does not contain a trust account 'MISSMAGIC$' referenced by the specified computer. ......................... BIG-RIG failed test SystemLog Starting test: VerifyReferences ......................... BIG-RIG passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : wtbhome Starting test: CheckSDRefDom ......................... wtbhome passed test CheckSDRefDom Starting test: CrossRefValidation ......................... wtbhome passed test CrossRefValidation Running enterprise tests on : wtbhome.net Starting test: LocatorCheck ......................... wtbhome.net passed test LocatorCheck Starting test: Intersite ......................... wtbhome.net passed test Intersite Quote
ICTCity Posted May 16, 2011 Posted May 16, 2011 WELCOME BACK! You should check something: 1) SYSLOG share (permissions) 2) Check DHCP & TIME services for start account. You may have to change the user account (network, system) if they start with a domain account, check passwords. The warnings you have, may all be related to time service (which is failing to start). But it seems to be a permission's problem. let me know. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
SailingNut Posted May 16, 2011 Author Posted May 16, 2011 OK, somehow the time service got started since I last rain dcdiag. I then configured the time service to sync to an external source. However, dcdiag is still complaining abot the time service and being configured to use the domain hirearchy and that it can't find a time server. This is really odd since I did reconfigure the time service using w23tm /configure and for good measure I rebooted the server and dcdiag still has that time error. I checked the registry and I do see that the two external time servers I configured are in the registry, but it would appear that it is still configured to use the domain not the external servers I set up. What can I do to troubleshoot why this is and discover a fix. Thanks! Quote
ICTCity Posted May 16, 2011 Posted May 16, 2011 But the time service is running or not? start > run > services.msc > time > right click > properties and check WHO start this service. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
SailingNut Posted May 16, 2011 Author Posted May 16, 2011 But the time service is running or not? start > run > services.msc > time > right click > properties and check WHO start this service. Time service is running and it is started in the Local Service account Quote
ICTCity Posted May 16, 2011 Posted May 16, 2011 Actually you shouldn't have big problems, sorry, no problems at all. Anyway, let's try to make sure everything is working fine: Check permissions on SYSVOL share (this is mandatory for GP). Regarding DHCP, try this: ipconfig /registerdns net restart netlogon Retry but as said, you may not have problems... time service is running, this is the most important thing. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
SailingNut Posted May 16, 2011 Author Posted May 16, 2011 Actually you shouldn't have big problems, sorry, no problems at all. Anyway, let's try to make sure everything is working fine: Check permissions on SYSVOL share (this is mandatory for GP). Regarding DHCP, try this: ipconfig /registerdns net restart netlogon Retry but as said, you may not have problems... time service is running, this is the most important thing. Permissions on SYSVOL are as follows: CREATOR OWNER - Special Permissions Authenticated Users - Read & execute, List folder contents, Read SYSTEM - Full control Administrators - Special permissions Server Operators - Read & execute, List folder contents, Read After performing the steps you suggested, I'm still getting a couple of errors in dcdiag. Here's the output: Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = big-rig * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\BIG-RIG Starting test: Connectivity ......................... BIG-RIG passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\BIG-RIG Starting test: Advertising ......................... BIG-RIG passed test Advertising Starting test: FrsEvent ......................... BIG-RIG passed test FrsEvent Starting test: DFSREvent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. ......................... BIG-RIG failed test DFSREvent Starting test: SysVolCheck ......................... BIG-RIG passed test SysVolCheck Starting test: KccEvent ......................... BIG-RIG passed test KccEvent Starting test: KnowsOfRoleHolders ......................... BIG-RIG passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... BIG-RIG passed test MachineAccount Starting test: NCSecDesc ......................... BIG-RIG passed test NCSecDesc Starting test: NetLogons ......................... BIG-RIG passed test NetLogons Starting test: ObjectsReplicated ......................... BIG-RIG passed test ObjectsReplicated Starting test: Replications ......................... BIG-RIG passed test Replications Starting test: RidManager ......................... BIG-RIG passed test RidManager Starting test: Services ......................... BIG-RIG passed test Services Starting test: SystemLog An error event occurred. EventID: 0x00000423 Time Generated: 05/16/2011 14:40:47 Event String: The DHCP service failed to see a directory server for authorization. ......................... BIG-RIG failed test SystemLog Starting test: VerifyReferences ......................... BIG-RIG passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : wtbhome Starting test: CheckSDRefDom ......................... wtbhome passed test CheckSDRefDom Starting test: CrossRefValidation ......................... wtbhome passed test CrossRefValidation Running enterprise tests on : wtbhome.net Starting test: LocatorCheck ......................... wtbhome.net passed test LocatorCheck Starting test: Intersite ......................... wtbhome.net passed test Intersite Quote
ICTCity Posted May 16, 2011 Posted May 16, 2011 That's ok for sysvol. Just ignore this error. Regarding the last one (DHCP), I could tell you to remove and readd the DHCP role, but if everything is working fine, you don't have to do so. I think you're ok right now :) Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
SailingNut Posted May 16, 2011 Author Posted May 16, 2011 One more question, I'm getting errors in the event log saying that "The computer X tried to contact the server using the trust relationship established by the WTBHOME domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship." Where X is any of the machines on my network. I did some searching and the suggestion was to delete the couputer account from the domain and re-create it. Well, in my case there is no computer account in the domain, so I just created one. But, it still appears that the problem exists. Any ideas? Quote
ICTCity Posted May 16, 2011 Posted May 16, 2011 You should tell me what is COMPUTER X, was it a server? Of course it is running somewhere and it was a TRUSTED DELEGATED. Now the point is: can you find something in domains and trusts? If the computer X was a part of DC, you have to remove the partnership. Anyway, also this problem is not a problem (???), because the COMPUTER X will not be able to take infos about AD structure. But anyway, it will work properly. If you want to establish a trusted domain parternership, you can do this by adding a trusted in DOMAIN AND TRUSTS. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
SailingNut Posted May 16, 2011 Author Posted May 16, 2011 You should tell me what is COMPUTER X, was it a server? Of course it is running somewhere and it was a TRUSTED DELEGATED. Now the point is: can you find something in domains and trusts? If the computer X was a part of DC, you have to remove the partnership. Anyway, also this problem is not a problem (???), because the COMPUTER X will not be able to take infos about AD structure. But anyway, it will work properly. If you want to establish a trusted domain parternership, you can do this by adding a trusted in DOMAIN AND TRUSTS. The computer X are the workstation computers in my network. There is nothing in AD Domains & Trusts. When I right click on it & select manage it opens AD Users & Computers and that is where I added the computer account. (Trying to replicate on the server what happens when you join a machine to the domain.) Quote
ICTCity Posted May 16, 2011 Posted May 16, 2011 Oh well, try to un-join that pc from domain. Delete the COMPUTER's entry from AD, then re-add the pc and your problem should be solved. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
ICTCity Posted May 16, 2011 Posted May 16, 2011 Oh well, try to un-join that pc from domain. Delete the COMPUTER's entry from AD, then re-add the pc and your problem should be solved. I mean, try with one pc... just to see if this resolve your problem. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
SailingNut Posted May 16, 2011 Author Posted May 16, 2011 I mean, try with one pc... just to see if this resolve your problem. I'd like to avoid that because I think it will wipe out the personal settings & etc. for each domain user on that computer. (Or am I completely wrong?) Quote
ICTCity Posted May 16, 2011 Posted May 16, 2011 I'd like to avoid that because I think it will wipe out the personal settings & etc. for each domain user on that computer. (Or am I completely wrong?) if you don't redirect profiles on a server or a network share... yes. Well, I don't think you will have troubles, the error simply indicates that a computer cannot be verified with its SID. Unless people are able to login with their account, you can ignore this problem. If I'm not wrong, SID are used to avoid the entire authentication process. Anyway, if this fails, Windows will try to use user's credentials. I'm not sure... Anyway, this problem is because your DC has created another DB with differents SIDs. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
SailingNut Posted May 17, 2011 Author Posted May 17, 2011 if you don't redirect profiles on a server or a network share... yes. Well, I don't think you will have troubles, the error simply indicates that a computer cannot be verified with its SID. Unless people are able to login with their account, you can ignore this problem. If I'm not wrong, SID are used to avoid the entire authentication process. Anyway, if this fails, Windows will try to use user's credentials. I'm not sure... Anyway, this problem is because your DC has created another DB with differents SIDs. OK, I was worried about seeing errors in the event viewer and that it could catch up with me down the road. I'd love to get rid of the errors, but I don't want to jump through a bunch of hoops if they really aren't going to cause any problems. Thanks for all of your help! I'm not seeing any operational problems now! Quote
ICTCity Posted May 17, 2011 Posted May 17, 2011 Errors and warnings are importants, but in many cases they don't cause troubles with operations. We will see ) Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
SailingNut Posted May 17, 2011 Author Posted May 17, 2011 First operational hiccup....... My 2003 server is still on the network but demoted to a standalone server. I tried to log into it with a domain administrative account and it failed to authenticate. I had to log into the local computer. It this to be expected since I demoted it and it's no longer a member of the domain or is it failing because of some other reason? I checked the computer properties and it still thinks it's a part of the domain, so there may be some other problem lurking. Quote
ICTCity Posted May 17, 2011 Posted May 17, 2011 First operational hiccup....... My 2003 server is still on the network but demoted to a standalone server. I tried to log into it with a domain administrative account and it failed to authenticate. I had to log into the local computer. It this to be expected since I demoted it and it's no longer a member of the domain or is it failing because of some other reason? I checked the computer properties and it still thinks it's a part of the domain, so there may be some other problem lurking. if it is just a server (not a DC), remove from domain and, if you can, delete the computer object from AD. Then, rejoin. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
SailingNut Posted May 18, 2011 Author Posted May 18, 2011 FYI, I now have a completely "clean" dcdiag report. It turns out the DHCP problem was that I had to "authorize" the DHCP server back into the domain after demoting and promoting. I found a problem where it was not handing out an address to my laptop connected on WiFi. I opened up the DHCP panel and it told me that I needed to authorize it and told me to right click on my domain name in the panel and select ahtorize. How simple was that?!?!? Hope this tidbit comes in handy for you some time in the future! Quote
ICTCity Posted May 18, 2011 Posted May 18, 2011 FYI, I now have a completely "clean" dcdiag report. It turns out the DHCP problem was that I had to "authorize" the DHCP server back into the domain after demoting and promoting. I found a problem where it was not handing out an address to my laptop connected on WiFi. I opened up the DHCP panel and it told me that I needed to authorize it and told me to right click on my domain name in the panel and select ahtorize. How simple was that?!?!? Hope this tidbit comes in handy for you some time in the future! I didn't know that DHCP must be authorized in order to work properly... Thanks for your share :) Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
SailingNut Posted May 18, 2011 Author Posted May 18, 2011 I didn't know that DHCP must be authorized in order to work properly... Thanks for your share :) Glad I could give at least a little something back! Quote
ICTCity Posted May 18, 2011 Posted May 18, 2011 I think this is the longest post in this forum :D Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
Recommended Posts