Global catalog problem
hello everyone
in our company we are upgrading our DCs to server 2012R2 we have one Dc 2008R2 we installed another DC 2012R2 and make it GC from sites and services the problem appeared when I demoted the 2008 server I noticed that nobody in the company is able to log to
the domain I realized that even the global catalog check mark is checked the server is not global catalog when I connect through ldap I see isglobalcatalogready : false I tried many solution to make it global catalaog but no success my solution was to shut
down this server and restore the 2008 server from a previous backup now all the users can log to the domain but I only have one DC I tried to add another 2012R2 Dc but DCPromo fails on the prerequisite "check verification of outbound replication
failed error reading the ntds settings on replication source controller" I installed another server 2008R2 server since there is no prerequisite check but the same problem occured the new DC is marked as GC but it's not GC I checked port 3268 I ran dcidag
and this is the result
dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = 2k8DC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: mysite\2K8DC
Starting test: Connectivity
......................... 2K8DC passed test Connectivity
Doing primary tests
Testing server: mysite\2K8DC
Starting test: CheckSecurityError
The account 2K8DC is not a DC account. It cannot replicate.
Unable to verify the machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
2K8DC.
Source DC WIN-SM5GUTCII7H has possible security error (8453).
Diagnosing...
Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
DC and continuing...
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN :LDAP/WIN-SM5GUTCII7H
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
Unable to verify the machine account
(CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
for WIN-SM5GUTCII7H on 2K8DC.
Unable to connect to the NETLOGON share!
(\\WIN-SM5GUTCII7H\netlogon)
[WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
error 67, The network name cannot be found..
[WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
shares. Please check the above output and take appropriate
steps.
Failed to read object metadata on WIN-SM5GUTCII7H, error
Directory object not found.
[WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
See any errors reported in attempting tests.
......................... 2K8DC failed test CheckSecurityError
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : mydomain
Running enterprise tests on : mydomain.local
C:\Users\Administrator>dcdiag /test:checksecurityerror
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = 2k8DC
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: mysite\2K8DC
Starting test: Connectivity
......................... 2K8DC passed test Connectivity
Doing primary tests
Testing server: mysite\2K8DC
Starting test: CheckSecurityError
The account 2K8DC is not a DC account. It cannot replicate.
Unable to verify the machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
2K8DC.
Source DC WIN-SM5GUTCII7H has possible security error (8453).
Diagnosing...
Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
DC and continuing...
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN :LDAP/WIN-SM5GUTCII7H
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
Unable to verify the machine account
(CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
for WIN-SM5GUTCII7H on 2K8DC.
Unable to connect to the NETLOGON share!
(\\WIN-SM5GUTCII7H\netlogon)
[WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
error 67, The network name cannot be found..
[WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
shares. Please check the above output and take appropriate
steps.
Failed to read object metadata on WIN-SM5GUTCII7H, error
Directory object not found.
[WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
See any errors reported in attempting tests.
Authoritative attribute pwdLastSet on 2K8DC (writeable)
usnLocalChange = 5866156
LastOriginatingDsa = 2K8DC
usnOriginatingChange = 5866156
timeLastOriginatingChange = 2014-08-17 08:55:52
VersionLastOriginatingChange = 42
Out-of-date attribute pwdLastSet on WIN-SM5GUTCII7H (writeable)
usnLocalChange = 12868
LastOriginatingDsa = 22a5b57a-fac4-4cfe-9fcb-c545025d3716
usnOriginatingChange = 5830453
timeLastOriginatingChange = 2014-08-13 15:07:23
VersionLastOriginatingChange = 41
Unable to verify the convergence of this machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) on these DC's
(DC=mydomain,DC=local,2K8DC). Does the machine account password need
resetting?
......................... 2K8DC failed test CheckSecurityError
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : mydomain
Running enterprise tests on : mydomain.local
note that WIN-SM5GUTCII7H is the new DC I renamed it to server 2008R2 but it can't be a global catalog due to the error.
I tried to google this error but I didn't find any solution how to make make it replicate the GC
Best
In addition, I just wanted to point out that the error you are receiving below, can be indicative of some sort of firewall block. Antivirus apps can do this, too, with their network protection features.
"check verification of outbound replication failed error reading the ntds settings on replication source controller"
Do you have an AV on the machine, or the Windows firewall, or a third party firewall enabled?
Run PortQRY to see if there are any ports blocked.
PortQry GUI -
Run the "Domains & Trusts" option between DCs, or between DCs and any machine (other servers you want to promote, or even from a client machine), that you want to test if there are any blocked AD ports. Post only errors with "NOTLISTENING," 0x00000001,
and 0x00000002. You can ignore UDP 389 and UDP 88 messages. If you see TCP 42 errors, that just means WINS is not running on the target server.
PortQryUI - GUI - Version 2.0 8/2/2004
http://www.microsoft.com/download/en/details.aspx?id=24009
Time issue?
A time skew between DCs that is beyond 5 minutes, can cause it, too. Are the clocks on the new server and the current DCs within 5 minutes? Is the PDC emulator configured to sync time to an outside or to a local, reliable source?
Configuring the Windows Time Service - Complete step by step with contingency plan
http://blogs.msmvps.com/acefekay/2014/04/26/configuring-the-windows-time-service/
And of course we are all assuming that the new machine is definitely only using a current DC as the only DNS address in its NIC.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Similar Messages
-
Cisco ISE with AD Problem: "Could not read groups data: Global catalog not found"
Hi all,
When I make the ActiveDirectory integration with Cisco ISE, I have complete with this integration. but when I try to read the Groups from Active Directory, ISE shows the message "Could not read groups data: Global catalog not found".
My Domain has multiple sites and subnets, each contains GC for local logon. I have set ISE to the correct site and subnet. Forward and Reverse DNS are working with no error.
Does anyone get this problem, please help.
I have check into the ISE CLI Reference Guide 1.1.x
You are about to configure Active Directory settings.
Are you sure you want to proceed? y/n [n]: y
Parameter Name: dns.servers
Parameter Value: 10.77.122.135
Active Directory internal setting modification should only be performed if approved by ISE
support. Please confirm this change has been approved y/n [n]: y
What shoud I set in the Parameter Name ? dns.servers or my dns hostname ?
Please suggest for this too.
Thanks and Regards,
Pongsatorn M.Hi Pongsatorn,
Thanks for the reply!
I've attached the results of the ISE detailed AD test. As you can see, there is a fair number of domain controllers in the AD forest.
It seems everything works correctly until it gets to testing the AD connectivity on port 3268. Then I get this:
Testing Active Directory connectivity:
Global Catalog: pdascdc02.xyz.com
gc: 3268/tcp - refused
Testing Active Directory connectivity:
Global Catalog: pdascdc02.xyz.com
gc: 3268/tcp - refused
For some reason, the request to the controllers on port 3268 is being refused.
Any thoughts you might have are greatly appreciated.
Cheers,
Greg -
A Global Catalog Server could not be located - All GC's are down SBS 2011
I have been searching through these forums and manage to find similar errors but am struggling to find an answer that applies to this me.
I seem to be having a number of issues with our SBS. I believe this was originally domain was previously on a SBS 2003 box before being moved to this SBS 2011 box last year, it has been running fine until yesterday. I cant see anything that has changed then
though.
Everything seems to point to DNS although I am struggling to pinpoint the actual cause. The most worrying is when I try to open something on the SBS such as AD sites and services.
the error is
Active Directory Domain Services - Naming information cannot be located because: The specified domain either does not exist or could not be contacted. Contact your system administrator to verify that your domain is properly configured and
is currently online.
Here is the IPconfig/all from the server
v
Host Name . . . . . . . . . . . . : SBS2012
Primary Dns Suffix . . . . . . . : Contosso.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Contosso.local
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Network Connecti
on #2
Physical Address. . . . . . . . . : 00-1E-67-39-23-14
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8087:34f0:59f9:6a26%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.35.250(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.35.1
DHCPv6 IAID . . . . . . . . . . . : 301997671
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-39-46-22-00-1E-67-39-23-15
DNS Servers . . . . . . . . . . . : 192.168.35.250
NetBIOS over Tcpip. . . . . . . . : Enabled
PPP adapter RAS (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RAS (Dial In) Interface
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.35.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{A23E95B8-B5C2-4D88-BDE9-E9F1C2DD3902}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
and here is the nltest
nltest /server:sbs2012 /dsgetdc:contosso.local
DC: \\SBS2012.contosso.local
Address: \\192.168.35.250
Dom Guid: c50b6df3-9d22-4c87-b2a7-adadc4fd5ec1
Dom Name: contosso.local
Forest Name: contosso.local
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully
As far as I can see everything so far looks ok (highly possible I am missing something) but when I run a DCDIAG it gets messy
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SBS2012
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SBS2012
Starting test: Connectivity
......................... SBS2012 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SBS2012
Starting test: Advertising
Fatal Error:DsGetDcName (SBS2012) call failed, error 1355
The Locator could not find the server.
......................... SBS2012 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SBS2012 passed test FrsEvent
Starting test: DFSREvent
......................... SBS2012 passed test DFSREvent
Starting test: SysVolCheck
......................... SBS2012 passed test SysVolCheck
Starting test: KccEvent
......................... SBS2012 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SBS2012 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SBS2012 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=Contosso,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=Contosso,DC=local
......................... SBS2012 failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SBS2012\netlogon)
[SBS2012] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... SBS2012 failed test NetLogons
Starting test: ObjectsReplicated
......................... SBS2012 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,SBS2012] DsReplicaGetInfo(PENDING_OPS, NULL)
failed, error 0x2105 "Replication access was denied."
......................... SBS2012 failed test Replications
Starting test: RidManager
......................... SBS2012 passed test RidManager
Starting test: Services
Could not open NTDS Service on SBS2012, error 0x5
"Access is denied."
......................... SBS2012 failed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:27:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:32:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:37:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:42:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:47:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:52:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x00000457
Time Generated: 07/12/2013 08:54:09
Event String:
Driver EPSON WorkForce 645 Series required for printer EPSON WorkForce 645 Series is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 07/12/2013 08:54:10
Event String:
Driver FX DocuCentre-IV C2270 PCL 6 required for printer scanner - 212 Manukau Rd Epsom is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 07/12/2013 08:54:10
Event String:
Driver HP ePrint required for printer HP ePrint is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 07/12/2013 08:54:11
Event String:
Driver PDF Complete Converter required for printer PDF Complete is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 07/12/2013 08:54:14
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 08:57:32
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 09:02:33
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
A warning event occurred. EventID: 0x00002724
Time Generated: 07/12/2013 09:03:32
Event String:
This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
An error event occurred. EventID: 0x0000041A
Time Generated: 07/12/2013 09:03:33
Event String:
The DHCP/BINL service on the local machine encountered a network error. The error was: 0x 2.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 09:03:33
Event String:
The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons.
An error event occurred. EventID: 0xC0002720
Time Generated: 07/12/2013 09:03:45
Event String:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0xC0002720
Time Generated: 07/12/2013 09:03:46
Event String:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0xC0002720
Time Generated: 07/12/2013 09:03:46
Event String:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0xC0002720
Time Generated: 07/12/2013 09:03:46
Event String:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0xC0002720
Time Generated: 07/12/2013 09:03:46
Event String:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
An error event occurred. EventID: 0x00000406
Time Generated: 07/12/2013 09:07:33
Event String:
The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
An error event occurred. EventID: 0x00000406
Time Generated: 07/12/2013 09:12:34
Event String:
The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
An error event occurred. EventID: 0xC00038D6
Time Generated: 07/12/2013 09:16:24
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 09:17:34
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 07/12/2013 09:22:34
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
......................... SBS2012 failed test SystemLog
Starting test: VerifyReferences
......................... SBS2012 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : Contosso
Starting test: CheckSDRefDom
......................... Contosso passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Contosso passed test CrossRefValidation
Running enterprise tests on : Contosso.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... Contosso.local failed test LocatorCheck
Starting test: Intersite
......................... Contosso.local passed test Intersite
I found a few people who have had similar issues that was caused by the "netlogon" service being paused or stopped but in my case it is set to automatically start and is running.
I have also posted this to serverfault (cant post links yet serverfault.com/questions/522691/a-global-catalog-server-could-not-be-located-all-gcs-are-down) added as there may be info there that may help.
Thanks for taking the time to read this, hopefully someone out there has come across this before or can offer something in regards to the next steps I should take.Some troubleshooting ideas:
0. Check if the DCs can resolve each other using their DNSHostName. If not, this indicates some DNS misconfiguration
-- you need to fix that first.
1. Check if the both the DCs are pointing to the same DNS server (or DNS servers that are replica of each
other). Run: "ipconfig /all" and check its output. If not, correct the DNS client settings and run dcdiag after sometime.
2. Check if dynamic updates are "turned on" on the DNS server.
3. Try re-registering the DCs SRV records by either restarting netlogon service or by running the following
command:
nltest.exe /dsregdns -
Global Catalog and Searching Child Domains
Hi Everyone,
I'm attempting to sync events from a parent domain and I want to include all child domains as well. The forest contains a parent domain with 2 child domains. In my adapter I have the following configuration specified:
Container: DC=parent,DC=company,DC=com
Search Filter: DC=parent,DC=company,DC=com
Search Child Domain: Checked
Global Catalog: DC1.parent.company.com (Domain Controller of the parent domain is configured as Global Catalog)
When I attempt to sync domains from the child domain I recieve the following error:
dn attribute not found in search result
Does anyone have insight into what might be occuring. I can query the gc and can retrieve the events with no problem from other tools but IDM seems to always have an error for these child domain events. All comments or suggestions welcome. ThanksThis is the actual error from the AS log if that helps:
2009-10-09T13:26:13.840-0500: com.waveset.util.WavesetException: Unable to find dn attribute for object returned from search.
at com.waveset.adapter.AgentResourceAdapter.loadUsersFromResponse(AgentResourceAdapter.java:573)
at com.waveset.adapter.AgentResourceAdapter$AgentAccountSupplier.call(AgentResourceAdapter.java:2937)
at com.waveset.util.BufferedSupplier.getNextBlock(BufferedSupplier.java:70)
at com.waveset.util.BufferedSupplier.run(BufferedSupplier.java:86)
at java.lang.Thread.run(Thread.java:619) -
Hello.
Background
I have a Window server 2008 r2 installation that I fell in on. I removed all roles and features. Renamed, and gave a new ip address
I ran DCpromo and installed AD and DNS. this server was to be the first in a new domain.
After successfully creating the domain, I added my workstation (laptop) to the domain successfully and logged on with a created domain administrator account.
I installed the remote administrator pack for windows 7 onto my workstation
Problem
I ran AD Users and Computers (from my workstation) and proceeded to create a user... only to be told:
"Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: The server is not operational."
Troubleshooting steps taken so far:
I have ensured that my workstation and server times match (to the second)
I have ensure they are in the same time zone, date, etc.
I am actively pinging the domain controller from my workstation WHILE I attempt to create the user, so network connectivity is ruled out. they are in the same subdomain, there is no router in between. it is workstation > switch > switch > switch
> server
I checked sites and services, to find only 1 server listed for the sole domain, and it IS checked as the global catalog server
My workstation when added to the domain registered in DNS appropriately. As is the domain controller itself.
DCDIAG /fix reports no errors, everything passes
metadata.cleanup cannot be used because there are not other domains or sites, or servers listed beside the one I created.
Please help....Thank you.Please use dcdiag /v and repadmin /showreps
to check the DCs health status and AD replication.
Please also refer to the recommendations mentioned here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Certain users unable to send email internaly by typing adress ; only work when they use global catalog
got Office 2010 sp1 and win7Remove the outlook cache, Guess its the cache that's causing the problem, whereas when you pull the address from GAL it works fine.
refer to the article
http://support.microsoft.com/default.aspx?kbid=287623 -
When exchange Domain Controller or Global Catalog servers?
I have a few questions want to get your help.
1,which situation exchange would contact with the Domain Controller, and which situation exchange would contact with the Global Catalog servers?what's the difference?
2,for the mailbox replication service, besides moving the mailbox ,and DAD relevant operations, which situation mailbox replication service also contact with Dc?
Please click the Mark as Answer button if a post solves your problem!Hi,
About Question 1:
For Exchange, GC is mainly for Address Book lookups. Exchange server access to the global catalog for address information.
About DC, every domain controller contains the following three directory partitions.
1. Configuration: Contains the Configuration container, which stores configuration objects for the entire forest in cn=configuration,dc= forestRootDomain.
2. Schema: Contains the Schema container, which stores class and attribute definitions for all existing and possible Active Directory objects in cn=schema,cn=configuration,dc= forestRootDomain.
3. Domain: Contains a < domain > container, which stores users, computers, groups, and other objects for a specific domain.
For example, each Exchange Server object has the attribute Boolean messageTrackingEnabled. The Exchange server processes will turn on or off message tracking depending on the value of this attribute in the directory. This is an example of configuration data.
Configuration data is stored in the Configuration partition of Active Directory, and this partition is replicated to every DC in the Forest. Therefore Exchange can potentially go to any DC to access this information.
About Question 2:
The Mailbox Replication Service is responsible for moving mailboxes, importing and exporting .pst files, and restoring disabled and soft-deleted mailboxes. All these options need to contact with DC.
Best regards,
Belinda
Belinda Ma
TechNet Community Support
Thank you so much
Please click the Mark as Answer button if a post solves your problem! -
Could not find any available Global Catalog in forest when running RemoteMailbox cmdlet
My current Exchange environment is a hybrid configuration of Office 365, Exchange 2013 hybrid, and Exchange 2007 on-premise.
I have a script responsible for enabling remote mailboxes and assigning O365 licenses to a list of users; essentially provisioning users an O365 mailbox. This script runs every hour through a defined scheduled task in the Task Scheduler.
The script is proven to work but will intermittently throw an error on some days: "Could not find any available Global Catalog in forest root.xyz.com"
Here are the nuances of the error when it does occur:
It will only throw the error when the script is run via scheduled task - the script will work fine if executed from the command line
The error occurs when "Enable-RemoteMailbox" or "Get-RemoteMailbox" is called.
The same error will occur with ANY script that calls "Enable-RemoteMailbox" or "Get-RemoteMailbox" and is ran via scheduled task - even when the RemoteMailbox cmdlet was the only line in the script
Here is the output and error when Get-RemoteMailbox -verbose is ran:
VERBOSE: [15:49:52.474 GMT] Get-RemoteMailbox : Active Directory session
settings for 'Get-RemoteMailbox' are: View Entire Forest: 'True',
VERBOSE: [15:49:52.489 GMT]
Get-RemoteMailbox : Runspace context: Executing
user: ,
Executing user organization: ,
Current organization: ,
RBAC-enabled:Disabled.
VERBOSE: [15:49:52.489 GMT] Get-RemoteMailbox : Beginning processing
VERBOSE: [15:49:52.521 GMT] Get-RemoteMailbox : Current ScopeSet is: {
Recipient Read Scope: {{, }},
Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }},
Configuration Write Scope(s): {{, }, },
Exclusive Recipient Scope(s): {},
Exclusive Configuration Scope(s): {} }
VERBOSE: [15:49:52.521 GMT] Get-RemoteMailbox : Resolved current organization: .
VERBOSE: [15:49:52.521 GMT] Get-RemoteMailbox : Searching objects "abose" of type "ADUser" under the root "$null".
VERBOSE: [15:49:52.536 GMT] Get-RemoteMailbox : Previous operation run on global catalog server 'evw-xyzdc-p02.ad.xyz.com'.
Get-RemoteMailbox : Could not find any available Global Catalog in forest root.xyz.com.
At C:\IDM_In\Scripts\MinimalTest.ps1:42 char:14
+ $abose = Get-RemoteMailbox 'abose' -verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-RemoteMailbox], ADTransientException
+ FullyQualifiedErrorId : E421EF0B,Microsoft.Exchange.Management.RecipientTasks.GetRemoteMailbox
VERBOSE: [15:49:52.567 GMT] Get-RemoteMailbox : Ending processing
What could be the cause of this intermittent error?
Thanks for any helplooks to me permission error as when you are running it via a schedule task is is not able to call exchange shell/ commands {confirm this} where as when you running this manually looks to me you open exchange shell, may be as admin also and then running
the script.
schedule task process is not able to get the permission..
MARK AS USEFUL/ANSWER IF IT DID
Thanks
Happiness Always
Jatin -
How to replicate 'memberOf' attribute to global catalog server
Hi,
I am trying to replicate 'member of' attribute to global catalog server, to get the data from child domain where trust is enabled.
i did a little reserach and found that 'isMemberOfPartialAttributeSet' should be true to get it replicated to global catalog server.
in schema, i am trying set 'isMemberOfPartialAttributeSet' true for "is-member-of-DL" attribute and getting illegal modification.
is there any other way, where i can modify (or with help of Microsoft).
OS: windows 2003 R2 (SP2) - MSDN
Thanks!
Karthik
Thanks, Karthikeyan RHi Karthik,
Based on my tests, the right way to modify attributes that replicate to the Global Catalog is:
Open Active Directory schema snap-in.
Then locate the attribute which you wish to modify.
Right click on it, and select Properties.
Tick the check box “Replicate this attribute to the Global Catalog”.
Here is a screenshot for you:
More references below:
Install the Active Directory Schema snap-in
http://technet.microsoft.com/en-us/library/cc755885(v=WS.10).aspx
How to Modify Attributes That Replicate to the Global Catalog
http://support.microsoft.com/kb/248717
Best Regards,
Amy -
OID and Active Directory(global catalog) synchronization issues
We have a large network with 7 domains within the AD forest.....The OID server profile
points to a single domain controller/gc in 1 of these 7 domains. It is able to synchronize when a change occured
from this domain but not the others in the forest by quering port 3268/GC. We reloaded
the bootstrap which reduced the "highest committed usn" last read attribute value in
OID....and the synch started working again with another domain but not consistently(a change in AD gets pulled into OID)...
It seems as if OID cannot read the highest committed usn value for all domains
within one forest by quering a single global catalog domain controller in one
domain....any ideas on best practice to have a consistent synch from OID to all
domains in AD?
Message was edited by:
marcvipEach AD server in the Forest will maintain his own highestCommittedHSN. The AD GC should maintain a consistent HSN but knows and keeps all the AD servers in sync. So if the GC does not maintain a consistent HSN you should contact Microsoft as well (besides this forum :-)
regards,
--Olaf -
Exchange Management Shell Cannot Find Global Catalog Servers
Hello,
I have a client with a single Exchange 2013 RU2 multi role server. Exchange works fine with no issues. However, when I open EMS and try to do anything (example get-mailbox) it returns the following error. It was working up until about a
week ago.
"Could not find any available Global Catalog in forest domain.com"
I haven't tried rebooting the server yet because Exchange is running fine, it's just PowerShell is jacked up. I have even tried Remote PowerShell from another server and same results. Has anyone ever seen this?
Thanks,
Johncan you check what your nslookup returns you... are you able to connect to your DNS without any error.
the above error is generally towards network connectivity issues.
guess you have two lan cards on exchange. what is the DNS on both lan cards. i guess should b same.
MARK AS USEFUL/ANSWER IF IT DID
Thanks
Happiness Always
Jatin -
Dear all,
I have Cisco Indentity Services Engine, that connected to Active Directory. When I test connection detailed,
the result is error, said:
Test Connection Results
This dialog shows the detailed logs for the operation for: idsv0018.
Status: FAILED: Global Catalog port status error.
Can anyone help?
I believe, because this error, I can't search group of AD, at Cisco ISE.
FYI: the connection from Cisco ISE to AD, joined with successful result.
Thanks,
JerriIt's clears that when ISE tries to find the GC using the _gc._tcp. DNS query. It doesn't find that information on the Domain controller. The GC information is missing on the DC.
gc._tcp.DnsForestName
Allows a client to locate a Global Catalog (gc) server for this domain.
Jatin Katyal
- Do rate helpful posts - -
A Global Catalog Server could not be located - All GC's are down server 2003 dc
Im all out of ideas. I have two 2003 server DC's that both fail DCDIAG with the following adn my exchange services wont come online due to this. please help!
dc1-server dcdiag
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
PDC Name: \\dc1-server.silistra-bg.net
Locator Flags: 0xe00003dd
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... silistra-bg.net failed test FsmoCheck
dc2-server dcdiag:
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... silistra-bg.net failed test FsmoCheckSome troubleshooting ideas:
0. Check if the DCs can resolve each other using their DNSHostName. If not, this indicates some DNS misconfiguration
-- you need to fix that first.
1. Check if the both the DCs are pointing to the same DNS server (or DNS servers that are replica of each
other). Run: "ipconfig /all" and check its output. If not, correct the DNS client settings and run dcdiag after sometime.
2. Check if dynamic updates are "turned on" on the DNS server.
3. Try re-registering the DCs SRV records by either restarting netlogon service or by running the following
command:
nltest.exe /dsregdns -
I am upgrading three domain controllers by replacing old '03 DCs with new '12 DCs. The set is a parent domain with two sub domains for child organizations. No users in the sub domains should be able to log into the other domains or see the GAL for the exchange servers in the other orgs. Each of the three has their own exchange server. The same IT team manages all three, so we want to have them in the same forest. (correct term?)Should any of the domain controllers be a Global Catalog server? That is an option when upgrading the DC server from '03 to '12."Servers running Microsoft Exchange Server rely on access to the global catalog for address information. Users use global catalog (GC) servers to access the global address list (GAL).Because a domain controller that acts as a global catalog server stores objects for all domains in the...
This topic first appeared in the Spiceworks CommunityCFLDAP requires a domain controller to be specified. It can't
use find the root dsn of the domain and start from there.
The best workaround is to "know" every domain controller on
your domain. Then, run a very simple LDAP query using the first
domain controller. If an error occurs, then try the LDAP query with
the second domain controller. Keep this up until you run out of
domain controllers. If this happens, then you are in worse trouble
because your domain will start to fall apart.
Use CFTRY/CFCATCH to test for any LDAP errors when a domain
controller is not responding. You can even wrap this into a simple
CFLOOP that loops over a list of domain controllers.
All it has to do is return a simple query that should take
very little time to process. All you are doing is testing to make
the sure domain controller is responding. -
getting: "a problem accessing Organizer catalog. It may be in use by another process or a disk error occurred". Can you help? Sorry - I'm using Elements 5...
From: photodrawken
Sent: Thursday, May 17, 2012 2:39 PM
To: Ermineglen
Subject: Organizer/catalog problem
Re: Organizer/catalog problem
created by photodrawken in Photoshop Elements - View the full discussion Much thanks to you - appreciate it. Glen...
Maybe you are looking for
-
How to get Max and Min in one line .
Hi Guys I know the program which I did is stupid .. I am getting the result for max and min value? But I how can I get the value of km, h, lit in one line Equno..max_date,min_date,min_value_km..max_value_km....min_value_h...max_value_h...min_value_l.
-
Copying an Iphoto Album&Project from one Mac to another
I have Iphoto 08 on both a macbook running 10.4.11 and IMAC running 10.5.1. I was using the macbook to download and store all pictures until I got the IMAC. I copied the Iphoto library to an external harddrive that is now attached to the IMAC and am
-
TS4185 When starting Facetime on my MAcBook Pro I receive "internal error? any help?
When I start Facetime on my MacBook Pro I receive "internal error. You need to quit and reopen Facetime". I do this and nothing changes, same error. Any ideas are welcome.
-
Error in finding the phase and magnitude of the acquired signal
Dear sir, I am trying to develop a module for calculating unbalance in the spindle . I am using an accelerometer and tacho for that. Till the last part in my vi I am getting the output properly but in final stage while finding the pha
-
Firefox unresposive after hibernating/sleeping - Windows 8
Lots of similar threads have been raised regarding this same issue but there's still not been any conclusive resolution. I'm using an up to date FF version 28.0 on Windows 8 and after my PC wakes up (so to speak) FF doesn't respond to any clicks, i.e