Active Directory unable to upgrade to 2003

[jwalter]

Hi,

Im trying to update our system to AD 2003 and Exchange 2007, and am
trying everything out first on a test system. First off, sorry for
the situtation i am explaining, because its complicated...and perhaps
the errors i am getting could be done by rebuilding my test system.
However, the main error i appear to be having...non sync between the
parent and child domains is also appearing on the live system, so i
want to try and figure it out without rebuilding.

here is the scenario:

Live system:
Parent domain abc.com
Two DCs MSOA01, MSOA02
FSMO has MSOA01as holding all roles

child domain: xyz.abc.com
4 DCs MSTAPDC1 holds PDC and RID, MSTABDC1 holds Infrastructure,
(MSOA01has the schema and domain naming master roles)

repadmin shows the following:


Replication Summary Start Time: 2007-06-13 18:03:05

Beginning data collection for replication summary, this may take
awhile:


Source DC largest delta fails/total %% error
MSOA01 11m:00s 0 / 6 0
MSOA02 12m:23s 0 / 9 0
MSTAMSX1 12m:23s 0 / 12 0
MSTAPDC1 10m:55s 0 / 8 0
MSTUBDC1 12m:23s 0 / 12 0
MSTUMSX1 11m:00s 0 / 12 0


Destination DC largest delta fails/total %% error
MSTAMSX1 08m:55s 0 / 18 0
MSTAPDC1 12m:29s 0 / 18 0
MSTUBDC1 10m:55s 0 / 12 0
MSTUMSX1 13m:52s 0 / 11 0


Experienced the following operational errors trying to retrieve
replication information:
8453 - MSOA02
8453 - MSOA01


On my test system, the error appears as well, but because I was trying
to get things working, i had more flexibilty to try to test things
out. In addition, because my test system consists of only 3 DCs, i
had to remove many of them using ntdsutil, and also my trust was
screwed up until i restored MSOA02 from backup (authoritative).

Test system:
Parent domain: abc.com
1 DC - MSOA02

Child Domain: xyz.abc.com
2 DCs MSTAPDC1, MSTAMSX1

Trusts appear to be verified ok. general replication appears to
work. the Replication Summary gives a similar inability to
communicate accross the trust as listed above..

However, FSMO is all screwed up:
On the parent domain:
MSOA02 holds all roles, but if i want to, i can transfer the schema
master to one of the child domains

On the child domain,
MSTAPDC1 holds the schema master and domain master, and I cant seem to
get just one of them for the whole forest.

I tried to do an authorative restore to MSOA02 and it seemed to take
ok, but again, i have two domain masters and two schema masters.

I dont know how this would affect my live system since i dont want to
mess around with it.

Any ideas on how to clean up this mess? My next thought was to
restore MSOA01
Thanks so much for your input.

 

[Herb Martin]

Hi,

Im trying to update our system to AD 2003 and Exchange 2007, and am
trying everything out first on a test system. First off, sorry for
the situtation i am explaining, because its complicated...and perhaps
the errors i am getting could be done by rebuilding my test system.
However, the main error i appear to be having...non sync between the
parent and child domains is also appearing on the live system, so i
want to try and figure it out without rebuilding.

You cannot ADPrep a domain nor a forest without full replication of that
domain or forest first -- and you will need full replication afterwards
before
it is complete.

You must either fix the replication errors, or remove any permantly
lost DC or Domain objects from the forest (using NTDSUtil metadata cleanup
first for every DC and then for any lost domain.)

 

[jwalter]

Hi Herb,
Thanks for your help. I think my next step with the test system is to
restore the PDC (authoritatively) and maybe also the SOA, so that the
test system at least has the ability to swap roles. Actually, as a
question of what is allowed, is it ok to have the Schema and Domain
master roles held by a DC in the child domain? I figured that if i
can swap roles, then my communcation and trusts should be ok, and
currently i can not do that.

Regarding trusts, i am unable to remove the trust between domains
since it says it is a parent-child relationship...not that i want to
remove it, i just want to ascertain that it is established correctly.
Verify seems to work ok on the GUI and Netdom utilities.

On the main issue, the error that i am seeing on both test and live
( "Experienced the following operational errors trying to retrieve
replication information") is not very descriptive and other
replications seem to be ok. Any way to dig deeper to see what errors
it is getting and how to troubleshoot them?

Thanks again
John

 

[Herb Martin]

Hi Herb,
Thanks for your help. I think my next step with the test system is to
restore the PDC (authoritatively) and maybe also the SOA,

What is an SOA? Are you talking about a DNS Server or even a
Primary DNS Server specifically?

[ An SOA is technically a type of DNS record -- not a type of server. ]

so that the
test system at least has the ability to swap roles. Actually, as a
question of what is allowed, is it ok to have the Schema and Domain
master roles held by a DC in the child domain?

Yes, it is unusual but technically legal.

I figured that if i
can swap roles, then my communcation and trusts should be ok, and
currently i can not do that.

Swap what roles? And why is that an issue?

Regarding trusts, i am unable to remove the trust between domains
since it says it is a parent-child relationship...

Such trusts are automatic and permanent -- unless you remove the
entire Child Domain ("Metadata cleanup") which strongly implies this
is (part of) your problem.

not that i want to
remove it, i just want to ascertain that it is established correctly.

Leave the automatic trusts alone.

Verify seems to work ok on the GUI and Netdom utilities.

"DCDiag /c" should be run on EACH DC, output to a text file, search
for (and fix) any FAIL or WARN messages.

On the main issue, the error that i am seeing on both test and live
( "Experienced the following operational errors trying to retrieve
replication information") is not very descriptive and other
replications seem to be ok. Any way to dig deeper to see what errors
it is getting and how to troubleshoot them?

DCDiag /c usually shows what you need.

Also check that you changed all the DNS settings for every test DC so
the NIC->IP properties references ONLY the test DC DNS.

 

[jwalter]

Hi Herb,
sorry for the delay, i thought i had posted a reply already, but it
didnt take.

DCDIag /c has no errors on live system - test system is down right now
as I am trying to run restores on all DCs

My problem in test is that i have two DCs claiming to be the shema and
domain master, so probably whatever i have going is suspect until i
can clear that up. I had wanted to swap roles to get it to just one
master, but each PC cant transfer the role since it already thinks it
owns it. I will let you know what happens after i do a restore

SOA was part of the naming scheme for the first two DCs in our parent
domain, meant to say Start of Authority - this was how a consultant
set us up 3 years ago., Im unclear if there is problems with the
actual DNS entries for these items. i will research that to see if
they are configured wrong. I also will check the DNS to make sure
only the test DCs are present.

thanks again for your help...its a 4 day workweek here, so i will pick
this up again on Monday
John

 

[Herb Martin]

Hi Herb,
sorry for the delay, i thought i had posted a reply already, but it
didnt take.

DCDIag /c has no errors on live system - test system is down right now
as I am trying to run restores on all DCs

My problem in test is that i have two DCs claiming to be the shema and
domain master, so probably whatever i have going is suspect until i
can clear that up.

You must DCPromo one of them. You can then DCPromo it back to
DC.

I had wanted to swap roles to get it to just one
master, but each PC cant transfer the role since it already thinks it
owns it. I will let you know what happens after i do a restore

SOA was part of the naming scheme for the first two DCs in our parent
domain, meant to say Start of Authority - this was how a consultant
set us up 3 years ago.,

The consultant was using meaningless terminology (see my guesses for
what he meant in the first reply.)

Im unclear if there is problems with the
actual DNS entries for these items. i will research that to see if
they are configured wrong. I also will check the DNS to make sure
only the test DCs are present.

DCDiag will confirm the correct DNS records for the DCs.

 

[jwalter]

Hi,
Ok, so i restored system state from backup for all 3 of my DCs and its
a lot cleaner. Only one schema and domain master. Replication seems
to be ok, but i am still getting the folloiwng error - same as on my
live system:

Experienced the following operational errors trying to retrieve
replication ifmroiatn:
8453 MSOA01 (this is the DC in the root of the forest, and i am
running it from a PC in the child domain)

It appears the error is related to replication access, but the other
diagnostic tools appear to be ok.

any ideas on further diagnostics or ways to check replication access
rights?
Thanks
John

 

[Herb Martin]

Hi,
Ok, so i restored system state from backup for all 3 of my DCs and its
a lot cleaner. Only one schema and domain master. Replication seems
to be ok, but i am still getting the folloiwng error - same as on my
live system:

Experienced the following operational errors trying to retrieve
replication ifmroiatn:
8453 MSOA01 (this is the DC in the root of the forest, and i am
running it from a PC in the child domain)

It appears the error is related to replication access, but the other
diagnostic tools appear to be ok.

any ideas on further diagnostics or ways to check replication access
rights?

Run "DCDiag /c" and post the unedited text.

I take it you are running the Root DC in a VM on that PC.

Make sure you can resolve DNS from any domain-DNS server in
the entire forest, for all of the DNS in that entire forest.

(Root ->Child and Child->root etc.)

Make sure (after that) that you can route from-to all DCs and firewall
filters don't block their communication.

 

[jwalter]

Hello Herb,
After continued poking around it would appear that the problem resides
in the DNS entries. All three servers in my test domain are GCs, but
DNS is only showing them in the parent domain... My parent domain has
entries for the GC under _msdc tab, but there are no such entries
under the child domain _msdc tab. just for kicks, i manually created
an entry that duplicated the items in the parent, and it appeared to
help...after adding the GC tab, i was able to transfer the schema role
back and forth, wheras before i had an LDAP error.

so far so good, but i dont think its a clean entry, and im wondering
if there are automated methods for creating all of the entries, such
as site names etc, or else a template that i can confirm it looks the
way it should?

thanks again for your help.
John

(also, i can resolve server names via Ping just fine, but is there
other methods such as via LDAP queries...i saw one having to do with
nslookup, but it didnt work for me to give useful diagnostics.)

 

[Herb Martin]

Hello Herb,
After continued poking around it would appear that the problem resides
in the DNS entries. All three servers in my test domain are GCs, but
DNS is only showing them in the parent domain... My parent domain has
entries for the GC under _msdc tab, but there are no such entries
under the child domain _msdc tab. just for kicks, i manually created
an entry that duplicated the items in the parent, and it appeared to
help...after adding the GC tab, i was able to transfer the schema role
back and forth, wheras before i had an LDAP error.

so far so good, but i dont think its a clean entry, and im wondering
if there are automated methods for creating all of the entries, such
as site names etc, or else a template that i can confirm it looks the
way it should?

Yes, all of these methods should work:

Restarting the Netlogon Service
(net start Netlogon then Net stop Netlogon)
DCDiag /fix
NetDiag /fix

I have an unconfirmed belief that "NetDiag /fix" is the best in some
odd cases.

If this (or these don't work) then you have some other DNS client-server
problem. The DC being the DNS Client, and perhaps also being the DNS
server.

The registering DNS Client (NetLogon does the actual registration) must
be able to find the DYNAMIC Master of the DNS domain/zone.

This means it must find the single traditional Primary, or ONE OF the
Dynamic AD Integrated DNS-DCs.

 

[jwalter]

thanks
I ran the utils as suggested, and I still get an error when running
the "repadmin /replsum /bysrc /bydest" command ("Experienced the
following operations errors trying to retrieve replication
information: 8453 MSOA01 ). I am under the assumption that i can
not upgrade to AD 2003 until i get that error addressed?

the PDC is the DNS server and client...would that be a problem?

 

[Herb Martin]

thanks
I ran the utils as suggested, and I still get an error when running
the "repadmin /replsum /bysrc /bydest" command ("Experienced the
following operations errors trying to retrieve replication
information: 8453 MSOA01 ). I am under the assumption that i can
not upgrade to AD 2003 until i get that error addressed?

the PDC is the DNS server and client...would that be a problem?

No, in no way.

If you run a complete "DCDiag /c" you may bet more information and
my bet is that you will find a "missing DC", perhaps one that you have
(incompletely) removed from the network and AD -- or one that is
otherwise unavailable due to network, filtering, or DNS errors.

It could also be a time sync issue that prevents replication.

 

[jwalter]

Ahhh success!

there were other records under the GC tab that i added after the above
post, thus completely duplicating the GC folder at the parent
domain. It took a while to replicate, but now when i run the
repadmin utility, i get no errors (no errors on DCDIAG /c either on
any of my servers).

So does this make sense? I guess it tells me that while in the child
domain, the system had no clue as to who or where were the GCs,
whereas in the parent i was fine?

Any downside to making this update on my production servers? Any
chance of causing some weird replication that has not been able to
happen because there was a partial block on GC communication? I
think that this error has been there since we put up the system, and
we never had an issue (probably becasue we dont really operate outside
of the single child domain).

Also, curious, do these records get created automatically when you add
or remove a DC as a Global Catalog, or is this a manual process?

John

 

[Herb Martin]

Ahhh success!

there were other records under the GC tab that i added after the above
post, thus completely duplicating the GC folder at the parent
domain. It took a while to replicate, but now when i run the
repadmin utility, i get no errors (no errors on DCDIAG /c either on
any of my servers).

So does this make sense? I guess it tells me that while in the child
domain, the system had no clue as to who or where were the GCs,
whereas in the parent i was fine?

Sounds like you have a mistake (misdesign misconfigure) at the child
DNS server -- where they cannot find one of more of the parent/root
DNS domains.