dcdiag errors

[Phil Loper]

I am trying to figure out why my second domain controller (dc2) does not
take over when my first one (dc1) is down. Both are running Windows
2000 Server. I get these errors when I run dcdiag on dc1:

Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
......................... DC1 passed test frssysvol

Starting test: systemlog
An Error Event occured. EventID: 0x0000165B
Time Generated: 04/23/2008 15:28:33
(Event String could not be retrieved)
An Error Event occured. EventID: 0x0000169E
Time Generated: 04/23/2008 15:34:33
(Event String could not be retrieved)
......................... DC1 failed test systemlog

can anyone tell me what these errors mean? dcdiag does not seem to
exist on dc2, is it something I need to install?

 

[Meinolf Weber]

Hello Phil,

Please post an ipconfig /all from both DC's. The systemlog entry shows that
in the even viewer you have some errors. Check trhem and post them complete
here.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[Paul Bergson [MVP-DS]]

It sounds like you have problems with the dc being started up on dc1. Check
the event log after you have started up this dc. I'll bet it states
something like "DC not starting sysvol not shared out" it will have an
event log message to go with it. Post any errors from the Event Log back
here.

If you don't have the support tools installed on dc2, install them from your
server install disk.
d:\support\tools\setup.exe


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Phil Loper]

Thanks for your help. Here is the info you requested:

 

[Meinolf Weber]

Hello Phil,

Did you have any major changes before or a crashed DC which is not longer
available? Is the second DC also Global catalog server?

DC1 is DNS server and what about DC2 also? For DC1 set preferred DNS to itself
and secondary the other. If DC2 is no DNS set it also as preferred to DC1
and second to the other.

Also it is not recommended to use a DC multihomed like you did with the PPP
connection. Better choose another member server for this and not a DC.

Event id 5723:
http://www.eventid.net/display.asp?eventid=5723&eventno=106&source=NETLOGON&phase=1

Event id 5719:
http://www.eventid.net/display.asp?eventid=5719&eventno=104&source=NETLOGON&phase=1

http://www.chicagotech.net/wineventid.htm

http://support.microsoft.com/kb/310339

Event id 5790
http://www.eventid.net/display.asp?eventid=5790&eventno=3984&source=Netlogon&phase=1


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[Phil Loper]

Hi Meinolf,

Yes, we did have an old DC crash, which we replaced with dc1 and we also
replaced our backup dc with dc2. Both were done a while back, but I do
think the problems started about that time. Both dc1 and dc2 are gc's.

DC2 is not a DNS server. We do have another DNS server, so I went ahead
and changed both of them to use DC1 as the preferred and the other dns
server as the secondary, as you suggested. Since they were both set to
use the third server as preferred, could that have caused some of the
problems? Should I also set all the client pc's the same way?

I will work on getting the rras moved to another box.

Thanks

 

[Meinolf Weber]

Hello Phil,

How did you remove the crashed dc from the domain? According to this: http://support.microsoft.com/kb/555846/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[Joseph]

I have a pretty close issue one day and it took me a long time to figure out
what was the problem ...mine was as simple as this ...both servers have a
different time stamp (was off by a mere couple of minutes -- believe or not)
.... once I ensure all servers have the same time it helped my case ...
This should not take a lot of time to check ..

Joseph

 

[Phil Loper]

Hello Meinolf,

I'm not sure how we did the removal, but I went thru all the steps in
the link you provided, and did find the old server listed in the active
directory sites and services, in dns under the reverse lookup zone, and
in wins. I deleted it from all three locations. Hopefully these things
I've done today will fix our problems. I will shut it down this
weekend to see. Thanks for your help!

 

[Ace Fekay [MVP]]

In

Hi Meinolf,

Yes, we did have an old DC crash, which we replaced with dc1 and we
also replaced our backup dc with dc2. Both were done a while back,
but I do think the problems started about that time. Both dc1 and
dc2 are gc's.
DC2 is not a DNS server. We do have another DNS server, so I went
ahead and changed both of them to use DC1 as the preferred and the
other dns server as the secondary, as you suggested. Since they were
both set to use the third server as preferred, could that have caused
some of the problems? Should I also set all the client pc's the same
way?
I will work on getting the rras moved to another box.

Thanks

What is the other (third) DNS server? Is it a DC as well? How many DCs total
exist?

If it is not a DC, how is it getting a copy of the AD zone? Is it a
Secondary zone?


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

 

[Phil Loper]

In

What is the other (third) DNS server? Is it a DC as well? How many DCs total
exist?

If it is not a DC, how is it getting a copy of the AD zone? Is it a
Secondary zone?

There are 2 DCs and 2 DNS servers. DC1 is a DC and a DNS server, DC2 is
DC only, and the third server I was referring to is DNS only and is set
up as secondary. Should it be set up differently? My problems still
exist after making the previous changes and rebooting. Thanks!

 

[Ace Fekay [MVP]]

In

There are 2 DCs and 2 DNS servers. DC1 is a DC and a DNS server, DC2
is DC only, and the third server I was referring to is DNS only and
is set up as secondary. Should it be set up differently? My
problems still exist after making the previous changes and rebooting.
Thanks!

If you have two DCs, I would suggest to make the other a DNS server and
eliminate the Secondary on the member server. Numerous benefits. I would
make the partner as the first entry, and itself as the second entry. Same
with the client machines. Make sure updates are allowed on the zone.

I would also suggest to remove that PPP connection off the DC. That can
cause numerous issues, and as Meinold stated, it is highly recommended to
NOT multihome a DC. This may be the root of all your problems. Multihoming a
DC cause numerous problems, ESPECIALLY if it is a PPP connection. What is
that connection for? ADSL? VPN from RRAS? If for a PPPoE connection for
ADSL, I would suggest eliminating it completely and using a $40 USD LInksys
router, if budget is a concern. If budget is no concern, I suggest to get a
Pix. If for VPN, I suggest to put RRAS on the member server.

If you want to keep the PPP connection on the server (RRAS or not), I have a
multi-step method to properly configure it that includes a few registry
changes. But I don't think you want to go through all of that and would want
to make your life a little easier by single-homing the machine.

Ace

 

[Phil Loper]

I am not sure what I am doing wrong, but when I tried to set up a new
ras server and had everyone switch the ip in their vpn connection, it is
not working properly. They can connect, but then they can not access
anything on the network. I tried having them both up at the same time,
but as soon as someone connected to the new one, I can not ping anyone
connected to the old one. So I had to switch them back to the old one.
Maybe your workaround would be my best option.

 

[Ace Fekay [MVP]]

In

I am not sure what I am doing wrong, but when I tried to set up a new
ras server and had everyone switch the ip in their vpn connection, it
is not working properly. They can connect, but then they can not
access anything on the network. I tried having them both up at the
same time, but as soon as someone connected to the new one, I can not
ping anyone connected to the old one. So I had to switch them back
to the old one. Maybe your workaround would be my best option.

Setup a new server? Did you install PPPoE on it too or is it internal? I
internal, possibly you didn't allow the ports on the DC?

Compare your two RRAS properties from both machines.

My workaround to force a DC to work may not necessarily work for what you
are doing.It is designed to force a multihomed server to work by altering
registery and other settings that are not default.

If budge is the issue, a better suggestion is to purchase an inexpensive
Linksys router and let it be the connection to the internet, and remove the
PPPoE software or disable that connection on the DC. Move the VPN to a
member server. Allow the VPN ports by port remapping the ports through the
Linksys to the internal VPN server (GRE 1723 and Prot Id 47).

Ace

 

[Phil Loper]

In

Setup a new server? Did you install PPPoE on it too or is it internal? I
internal, possibly you didn't allow the ports on the DC?

Compare your two RRAS properties from both machines.

My workaround to force a DC to work may not necessarily work for what you
are doing.It is designed to force a multihomed server to work by altering
registery and other settings that are not default.

If budge is the issue, a better suggestion is to purchase an inexpensive
Linksys router and let it be the connection to the internet, and remove the
PPPoE software or disable that connection on the DC. Move the VPN to a
member server. Allow the VPN ports by port remapping the ports through the
Linksys to the internal VPN server (GRE 1723 and Prot Id 47).

Ace

It is just for vpn, and I just installed rras on a member server, setup
just like the existing one. Do you know where I might find a step by
step guide for setting up a RRAS/VPN server on Windows 2000 Server so
that I can make sure I'm not missing something? It has been a long time
since I set the first one up. Thanks!

 

[Ace Fekay [MVP]]

In

It is just for vpn, and I just installed rras on a member server,
setup just like the existing one. Do you know where I might find a
step by step guide for setting up a RRAS/VPN server on Windows 2000
Server so that I can make sure I'm not missing something? It has
been a long time since I set the first one up. Thanks!

This may help.
http://www.windowsnetworking.com/articles_tutorials/w2krras.html

What about the DC? Was that connected to the internet or do you have a
router?

Ace

 

[Phil Loper]

In

This may help.
http://www.windowsnetworking.com/articles_tutorials/w2krras.html

What about the DC? Was that connected to the internet or do you have a
router?

Ace

We have a pix firewall and a router on the Internet t1's.

 

[Ace Fekay [MVP]]

In

We have a pix firewall and a router on the Internet t1's.

Good. Then simply moving the VPN server to a member server and disabling it
on the DC will take care of it. Don't forget to adjust the port map rules to
reflect the new location for PPTP. You know you can also use the Cisco PIX
VPN service. It's much more secure, especially with using the Cisco client.
You can configure it to use AD by using RADIUS.

Ace

 

[Phil Loper]

In

If you have two DCs, I would suggest to make the other a DNS server and
eliminate the Secondary on the member server. Numerous benefits. I would
make the partner as the first entry, and itself as the second entry. Same
with the client machines. Make sure updates are allowed on the zone.

Should dc2 be setup as active directory like dc1 or should it be set up
as a secondary?

 

[Phil Loper]

In

Good. Then simply moving the VPN server to a member server and disabling it
on the DC will take care of it. Don't forget to adjust the port map rules to
reflect the new location for PPTP. You know you can also use the Cisco PIX
VPN service. It's much more secure, especially with using the Cisco client.
You can configure it to use AD by using RADIUS.

Ace

Finally got the other rras server working. We tried using the pix for
vpn, but there were problems with the cisco client not working with the
exchange owa. It has been a long time since we tried that, so cisco may
have fixed the client by now, so I will look into it. Thanks!