Deek
Well-known member
Hi, Can anyone out there assist with some active directory issues?
Summary:
Old Server - hardware is sick, machine only stays up for a short time.
New Server- Added as a GC, all roles transferred. But AD doesn't work unless old server is up
New server is throwing this (among other errors)
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=YCG,DC=com
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
I have much info to give...not really sure where to start.
Notably, dcdiag passes everything but these:
Testing server: Default-First-Site-Name\SERVER2018
Starting test: Advertising
Fatal Error
sGetDcName (SERVER2018) call failed, error 1355
The Locator could not find the server.
......................... SERVER2018 failed test Advertising
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SERVER2018\netlogon)
[SERVER2018] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... SERVER2018 failed test NetLogons
Running enterprise tests on : xxx
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... xxxxx failed test LocatorCheck
I think I need to use NTDSUTIL to fix the "This server is the owner of the following FSMO role, but does not consider it valid. "
But I want to make sure I am not about to do something stupid.
Summary:
Old Server - hardware is sick, machine only stays up for a short time.
New Server- Added as a GC, all roles transferred. But AD doesn't work unless old server is up
New server is throwing this (among other errors)
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=YCG,DC=com
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
I have much info to give...not really sure where to start.
Notably, dcdiag passes everything but these:
Testing server: Default-First-Site-Name\SERVER2018
Starting test: Advertising
Fatal Error
sGetDcName (SERVER2018) call failed, error 1355The Locator could not find the server.
......................... SERVER2018 failed test Advertising
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SERVER2018\netlogon)
[SERVER2018] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... SERVER2018 failed test NetLogons
Running enterprise tests on : xxx
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... xxxxx failed test LocatorCheck
I think I need to use NTDSUTIL to fix the "This server is the owner of the following FSMO role, but does not consider it valid. "
But I want to make sure I am not about to do something stupid.