Saturday, August 30, 2008

Domain Controller Problems & AD DNS not syncing.

Ok, so here is a tip for all of you, if your going to vmotion a Domain Controller, you gotta power it off first. Seems to be smart, but I prefer to learn things the hard way. Apparently this changes some internal things, long story short, this DC had to be completely blown away and rebuilt. The first thing I noticed was that for some reason AD Integrated DNS was no longer syncing. I ran a dcdiag since I didn't see much of anything in the logs. Basically all it told me was that I needed to run adprep /rodcprep. I tried since it seemed odd it would still need that (I upgraded to 2008 a while back, and thought I had done it.). Doing this gave me some new errors "Adprep could not contact a replica for partition DC=DomainDnsZones,DC=mydomain,DC=suffix.
Adprep encountered an LDAP error.
Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
Adprep failed the operation on partition DC=DomainDnsZones,DC=mydomain,DC=suffix. Skipping to next partition. "

Now the fix for this is several things. The first two are easy of course.
1) Seize the rolls it held.
http://www.petri.co.il/seizing_fsmo_roles.htm
2) Blow away the old info from ntdsutil, ADSIEdit, & DNS.
http://www.petri.co.il/fix_unsuccessful_demotion.htm
3) Here is the really fun part. When seizing the roles in 2008(my first time seizing in 2k8) it left some stuff that had to be modified in ADSIEdit
Thanks to drewhill.net for the info,
http://drewh70.wordpress.com/2008/05/15/error-message-when-you-run-the-adprep-rodcprep-command-in-windows-server-2008/

Error message when you run the "Adprep /rodcprep" command in Windows Server 2008
“Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Domain,DC=suffix”“Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Subdomain,DC=Domain,DC=suffix”“Adprep could not contact a replica for partition DC=ForestDnsZones,DC=Domain,DC=suffix”
Read: Error message when you run the “Adprep /rodcprep” command in Windows Server 2008: “Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com”
Note: I could not get the VB script that Microsoft provided in the above KB article to work. I received the following error, “fixfsmo.vbs(1, 1) Microsoft VBscript compilation error: Expected statement”.
Here’s the way I ended up fixing the problem:

Open ADSIEdit
Connect to DC=DomainDnsZones,DC=domain,DC=suffix
Expand it and select CN=Infrastructure
Right click, click on Properties and look at the fsmoRoleOwner attribute. In my case it was referencing a deleted domain controller:
CN=NTDS SettingsADEL:0db95bd9-0a15-46d8-9665-951689a3c7f9,CN=PFCSRDC1ADEL:5bcf835e-adb2-4eba-9a3e-bccc9611fc78,CN=Servers,CN=PFCS,CN=Sites,CN=Configuration,DC=pfcs,DC=farm
This means that AD has a bad value for the infrastructure master because the infrastructure master for the referenced partition or partitions has been forcefully demoted or is offline.
You will need to copy the correct path to the infrastructure master into the fsmoRoleOwner value. To do this, first determine what server your infrastructure master is supposed to be using AD Users and Computers.
Once you have the , go back into ADSIEdit.
Connect to the Configuration partition.
Expand CN=Sites, CN=, CN= and go to properties of CN=NTDS Settings.
Edit the distinguishedName attribute, select the value and copy it into the clipboard. (cut off the first crap, only keep CN=NTDS Settings... erase all those crazy numbers and everything before it)
Now go back to the Infrastructure object underneath DomainDNSZones, and copy the value you got into the fsmoRoleOwner attribute.
This will have to be done for each partition with a bad value.
After AD has been cleaned up rerun the “Adprep /rodcprep” command.