netlogon service paused at dC startup

I am having serious problems here, see I have a small network & a single
active directory server in a virtual server environment, now I did a mistake
I.e restore my DC from snapshot after its windows installation got corrupt.
now according to Microsoft this is not supported which I found out
afterwards & causes a situation called USN rollback.
& this is now causing the netlogon service to be paused after every restart
of the server.
How can I fix this ? the solution to this from Microsoft is to install
another dC transfer DNS & server roles to that server & remove active
directory from this & reinstall active directory again using dcpromo.
but this is not working as soon as I do all the things according to
Microsoft document steps & shutdown the old problem giving server, things
stops working.clients cannot join domain, & no authentication occurs
now I cannot get rid of the DC with USN roll back problem, and keep getting
the pause in netlogin service.

can anyone help me in this ?
Happy birthday of prophet Jesus to all of you.

regards

Hello Stingray,

An USN rollback occur if you have more then one DC and restore one of it
from an unsupported backup solution. So as you said there is only one DC
in the network USN rollback will not occur. The USN are stored on the DCs
and on none other machines in the domain.

Please post the link to the article from Microsoft with the solution you
found.

Also describe more detailed what you have done.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I am having serious problems here, see I have a small network & a
> single
> active directory server in a virtual server environment, now I did a
> mistake
> I.e restore my DC from snapshot after its windows installation got
> corrupt.
> now according to Microsoft this is not supported which I found out
> afterwards & causes a situation called USN rollback.
> & this is now causing the netlogon service to be paused after every
> restart
> of the server.
> How can I fix this ? the solution to this from Microsoft is to install
> another dC transfer DNS & server roles to that server & remove active
> directory from this & reinstall active directory again using dcpromo.
> but this is not working as soon as I do all the things according to
> Microsoft document steps & shutdown the old problem giving server,
> things
> stops working.clients cannot join domain, & no authentication occurs
> now I cannot get rid of the DC with USN roll back problem, and keep
> getting
> the pause in netlogin service.
> can anyone help me in this ?
> Happy birthday of prophet Jesus to all of you.
> regards
>

Thanks for the reply Meinolf

well the Microsoft solution i was talking about is present on
http://support.microsoft.com/kb/875495

Well currently there is only one DC, but there were multiple some time ago
before the bdc crashed and was unrecoverable may be its cause of that USN
problem is coming.
Anyways what if that is the case is there a way to fix this now ?

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:. com...
> Hello Stingray,
>
> An USN rollback occur if you have more then one DC and restore one of it
> from an unsupported backup solution. So as you said there is only one DC
> in the network USN rollback will not occur. The USN are stored on the DCs
> and on none other machines in the domain.
>
> Please post the link to the article from Microsoft with the solution you
> found.
>
> Also describe more detailed what you have done.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> I am having serious problems here, see I have a small network & a
>> single
>> active directory server in a virtual server environment, now I did a
>> mistake
>> I.e restore my DC from snapshot after its windows installation got
>> corrupt.
>> now according to Microsoft this is not supported which I found out
>> afterwards & causes a situation called USN rollback.
>> & this is now causing the netlogon service to be paused after every
>> restart
>> of the server.
>> How can I fix this ? the solution to this from Microsoft is to install
>> another dC transfer DNS & server roles to that server & remove active
>> directory from this & reinstall active directory again using dcpromo.
>> but this is not working as soon as I do all the things according to
>> Microsoft document steps & shutdown the old problem giving server,
>> things
>> stops working.clients cannot join domain, & no authentication occurs
>> now I cannot get rid of the DC with USN roll back problem, and keep
>> getting
>> the pause in netlogin service.
>> can anyone help me in this ?
>> Happy birthday of prophet Jesus to all of you.
>> regards
>>
>
>

Hello Stingray,

How old is the snapshot you have?

The article relies to a domain a with at least 2 DCs, where you can kick
out the machine with USN rollback and then cleanup AD database from it. Now
you can install an additional DC again.

Is the DC also DNS server? Please post an unedited ipconfig /all from it
and also a dcdiag /v. If you are able to start netlogon service manual clenaup
AD database from all old DCs according to:
http://support.microsoft.com/kb/555846/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks for the reply Meinolf
>
> well the Microsoft solution i was talking about is present on
> http://support.microsoft.com/kb/875495
>
> Well currently there is only one DC, but there were multiple some time
> ago
> before the bdc crashed and was unrecoverable may be its cause of that
> USN
> problem is coming.
> Anyways what if that is the case is there a way to fix this now ?
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:. com...
>
>> Hello Stingray,
>>
>> An USN rollback occur if you have more then one DC and restore one of
>> it from an unsupported backup solution. So as you said there is only
>> one DC in the network USN rollback will not occur. The USN are stored
>> on the DCs and on none other machines in the domain.
>>
>> Please post the link to the article from Microsoft with the solution
>> you found.
>>
>> Also describe more detailed what you have done.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I am having serious problems here, see I have a small network & a
>>> single
>>> active directory server in a virtual server environment, now I did a
>>> mistake
>>> I.e restore my DC from snapshot after its windows installation got
>>> corrupt.
>>> now according to Microsoft this is not supported which I found out
>>> afterwards & causes a situation called USN rollback.
>>> & this is now causing the netlogon service to be paused after every
>>> restart
>>> of the server.
>>> How can I fix this ? the solution to this from Microsoft is to
>>> install
>>> another dC transfer DNS & server roles to that server & remove
>>> active
>>> directory from this & reinstall active directory again using
>>> dcpromo.
>>> but this is not working as soon as I do all the things according to
>>> Microsoft document steps & shutdown the old problem giving server,
>>> things
>>> stops working.clients cannot join domain, & no authentication occurs
>>> now I cannot get rid of the DC with USN roll back problem, and keep
>>> getting
>>> the pause in netlogin service.
>>> can anyone help me in this ?
>>> Happy birthday of prophet Jesus to all of you.
>>> regards

Thanks for the reply Meinolf

Well i did the restore from snapshot for about a week ago. & yes the my dC
is also my dns server

here is my ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : mdomain
Primary Dns Suffix . . . . . . . : akesp.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : akesp.org

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-51-6A-37
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.11
Subnet Mask . . . . . . . . . . . : 255.255.0.0
IP Address. . . . . . . . . . . . : 172.16.1.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.16.1.3
DNS Servers . . . . . . . . . . . : 172.16.1.1
Primary WINS Server . . . . . . . : 172.16.1.1

& my dcdiag /v

C:\Program Files\Support Tools>dcdiag /v

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine mdomain, is a DC.
* Connecting to directory service on server mdomain.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\MDOMAIN
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... MDOMAIN passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\MDOMAIN
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=akesp,DC=org
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
DC=DomainDnsZones,DC=akesp,DC=org
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=akesp,DC=org
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
CN=Configuration,DC=akesp,DC=org
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
DC=akesp,DC=org
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
* Replication Site Latency Check
......................... MDOMAIN passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC MDOMAIN.
* Security Permissions Check for
DC=ForestDnsZones,DC=akesp,DC=org
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=akesp,DC=org
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=akesp,DC=org
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=akesp,DC=org
(Configuration,Version 2)
* Security Permissions Check for
DC=akesp,DC=org
(Domain,Version 2)
......................... MDOMAIN passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\MDOMAIN\netlogon
Verified share \\MDOMAIN\sysvol
......................... MDOMAIN passed test NetLogons
Starting test: Advertising
The DC MDOMAIN is advertising itself as a DC and having a DS.
The DC MDOMAIN is advertising as an LDAP server
The DC MDOMAIN is advertising as having a writeable directory
The DC MDOMAIN is advertising as a Key Distribution Center
The DC MDOMAIN is advertising as a time server
The DS MDOMAIN is advertising as a GC.
......................... MDOMAIN passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
Role Domain Owner = CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
Role PDC Owner = CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
Role Rid Owner = CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=MDOMAIN,CN=Serve
rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
......................... MDOMAIN passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 6603 to 1073741823
* mdomain.akesp.org is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4603 to 5102
* rIDPreviousAllocationPool is 4603 to 5102
* rIDNextRID: 4618
......................... MDOMAIN passed test RidManager
Starting test: MachineAccount
Checking machine account for DC MDOMAIN on DC MDOMAIN.
* SPN found :LDAP/mdomain.akesp.org/akesp.org
* SPN found :LDAP/mdomain.akesp.org
* SPN found :LDAP/MDOMAIN
* SPN found :LDAP/mdomain.akesp.org/AKESP
* SPN found
:LDAP/0a205198-abb0-4734-83d0-0d66ac246cd1._msdcs.akesp.org

* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/0a205198-abb0-4734-83
d0-0d66ac246cd1/akesp.org
* SPN found :HOST/mdomain.akesp.org/akesp.org
* SPN found :HOST/mdomain.akesp.org
* SPN found :HOST/MDOMAIN
* SPN found :HOST/mdomain.akesp.org/AKESP
* SPN found :GC/mdomain.akesp.org/akesp.org
......................... MDOMAIN passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... MDOMAIN passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
MDOMAIN is in domain DC=akesp,DC=org
Checking for CN=MDOMAIN,OU=Domain Controllers,DC=akesp,DC=org in
domain
DC=akesp,DC=org on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-First-Si
te-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org in domain
CN=Configuration,DC=
akesp,DC=org on 1 servers
Object is up-to-date on all servers.
......................... MDOMAIN passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... MDOMAIN passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
An Error Event occured. EventID: 0xC00034F7
Time Generated: 12/26/2009 14:40:15
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00034F7
Time Generated: 12/26/2009 15:25:20
(Event String could not be retrieved)
......................... MDOMAIN failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minut
es.
......................... MDOMAIN passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 12/26/2009 18:19:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 12/26/2009 18:19:15
(Event String could not be retrieved)
......................... MDOMAIN failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=MDOMAIN,OU=Domain Controllers,DC=akesp,DC=org and backlink on
CN=MDOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat
ion,DC=akesp,DC=org
are correct.
The system object reference (frsComputerReferenceBL)
CN=MDOMAIN,CN=Domain System Volume (SYSVOL share),CN=File
Replication S
ervice,CN=System,DC=akesp,DC=org
and backlink on CN=MDOMAIN,OU=Domain Controllers,DC=akesp,DC=org
are
correct.
The system object reference (serverReferenceBL)
CN=MDOMAIN,CN=Domain System Volume (SYSVOL share),CN=File
Replication S
ervice,CN=System,DC=akesp,DC=org
and backlink on
CN=NTDS
Settings,CN=MDOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=akesp,DC=org
are correct.
......................... MDOMAIN passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : akesp
Starting test: CrossRefValidation
......................... akesp passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... akesp passed test CheckSDRefDom

Running enterprise tests on : akesp.org
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the
scope
provided by the command line arguments provided.
......................... akesp.org passed test Intersite
Starting test: FsmoCheck
GC Name: \\mdomain.akesp.org
Locator Flags: 0xe00003fd
PDC Name: \\mdomain.akesp.org
Locator Flags: 0xe00003fd
Time Server Name: \\mdomain.akesp.org
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\mdomain.akesp.org
Locator Flags: 0xe00003fd
KDC Name: \\mdomain.akesp.org
Locator Flags: 0xe00003fd
......................... akesp.org passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS


thanks again .
Faisal


"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:. com...
> Hello Stingray,
>
> How old is the snapshot you have?
>
> The article relies to a domain a with at least 2 DCs, where you can kick
> out the machine with USN rollback and then cleanup AD database from it.
> Now you can install an additional DC again.
>
> Is the DC also DNS server? Please post an unedited ipconfig /all from it
> and also a dcdiag /v. If you are able to start netlogon service manual
> clenaup AD database from all old DCs according to:
> http://support.microsoft.com/kb/555846/en-us
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Thanks for the reply Meinolf
>>
>> well the Microsoft solution i was talking about is present on
>> http://support.microsoft.com/kb/875495
>>
>> Well currently there is only one DC, but there were multiple some time
>> ago
>> before the bdc crashed and was unrecoverable may be its cause of that
>> USN
>> problem is coming.
>> Anyways what if that is the case is there a way to fix this now ?
>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>> news:. com...
>>
>>> Hello Stingray,
>>>
>>> An USN rollback occur if you have more then one DC and restore one of
>>> it from an unsupported backup solution. So as you said there is only
>>> one DC in the network USN rollback will not occur. The USN are stored
>>> on the DCs and on none other machines in the domain.
>>>
>>> Please post the link to the article from Microsoft with the solution
>>> you found.
>>>
>>> Also describe more detailed what you have done.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> I am having serious problems here, see I have a small network & a
>>>> single
>>>> active directory server in a virtual server environment, now I did a
>>>> mistake
>>>> I.e restore my DC from snapshot after its windows installation got
>>>> corrupt.
>>>> now according to Microsoft this is not supported which I found out
>>>> afterwards & causes a situation called USN rollback.
>>>> & this is now causing the netlogon service to be paused after every
>>>> restart
>>>> of the server.
>>>> How can I fix this ? the solution to this from Microsoft is to
>>>> install
>>>> another dC transfer DNS & server roles to that server & remove
>>>> active
>>>> directory from this & reinstall active directory again using
>>>> dcpromo.
>>>> but this is not working as soon as I do all the things according to
>>>> Microsoft document steps & shutdown the old problem giving server,
>>>> things
>>>> stops working.clients cannot join domain, & no authentication occurs
>>>> now I cannot get rid of the DC with USN roll back problem, and keep
>>>> getting
>>>> the pause in netlogin service.
>>>> can anyone help me in this ?
>>>> Happy birthday of prophet Jesus to all of you.
>>>> regards
>
>

Hello Stingray,

Your DC is multihomed, 2 different ip addresses which is a really bad configuration
for a DC, remove one of them and then make sure it is also listed in the
DNS zones only with the configured one.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks for the reply Meinolf
>
> Well i did the restore from snapshot for about a week ago. & yes the
> my dC is also my dns server
>
> here is my ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : mdomain
> Primary Dns Suffix . . . . . . . : akesp.org
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : akesp.org
> Ethernet adapter Local Area Connection 2:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
> Adapter
> Physical Address. . . . . . . . . : 00-0C-29-51-6A-37
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 172.16.1.11
> Subnet Mask . . . . . . . . . . . : 255.255.0.0
> IP Address. . . . . . . . . . . . : 172.16.1.1
> Subnet Mask . . . . . . . . . . . : 255.255.0.0
> Default Gateway . . . . . . . . . : 172.16.1.3
> DNS Servers . . . . . . . . . . . : 172.16.1.1
> Primary WINS Server . . . . . . . : 172.16.1.1
> & my dcdiag /v
>
> C:\Program Files\Support Tools>dcdiag /v
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> * Verifying that the local machine mdomain, is a DC.
> * Connecting to directory service on server mdomain.
> * Collecting site info.
> * Identifying all servers.
> * Identifying all NC cross-refs.
> * Found 1 DC(s). Testing 1 of them.
> Done gathering initial info.
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\MDOMAIN
> Starting test: Connectivity
> * Active Directory LDAP Services Check
> * Active Directory RPC Services Check
> ......................... MDOMAIN passed test Connectivity
> Doing primary tests
>
> Testing server: Default-First-Site-Name\MDOMAIN
> Starting test: Replications
> * Replications Check
> * Replication Latency Check
> DC=ForestDnsZones,DC=akesp,DC=org
> Latency information for 6 entries in the vector were
> ignored.
> 6 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> DC=DomainDnsZones,DC=akesp,DC=org
> Latency information for 6 entries in the vector were
> ignored.
> 6 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> CN=Schema,CN=Configuration,DC=akesp,DC=org
> Latency information for 7 entries in the vector were
> ignored.
> 7 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> CN=Configuration,DC=akesp,DC=org
> Latency information for 7 entries in the vector were
> ignored.
> 7 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> DC=akesp,DC=org
> Latency information for 7 entries in the vector were
> ignored.
> 7 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> * Replication Site Latency Check
> ......................... MDOMAIN passed test Replications
> Test omitted by user request: Topology
> Test omitted by user request: CutoffServers
> Starting test: NCSecDesc
> * Security Permissions check for all NC's on DC MDOMAIN.
> * Security Permissions Check for
> DC=ForestDnsZones,DC=akesp,DC=org
> (NDNC,Version 2)
> * Security Permissions Check for
> DC=DomainDnsZones,DC=akesp,DC=org
> (NDNC,Version 2)
> * Security Permissions Check for
> CN=Schema,CN=Configuration,DC=akesp,DC=org
> (Schema,Version 2)
> * Security Permissions Check for
> CN=Configuration,DC=akesp,DC=org
> (Configuration,Version 2)
> * Security Permissions Check for
> DC=akesp,DC=org
> (Domain,Version 2)
> ......................... MDOMAIN passed test NCSecDesc
> Starting test: NetLogons
> * Network Logons Privileges Check
> Verified share \\MDOMAIN\netlogon
> Verified share \\MDOMAIN\sysvol
> ......................... MDOMAIN passed test NetLogons
> Starting test: Advertising
> The DC MDOMAIN is advertising itself as a DC and having a DS.
> The DC MDOMAIN is advertising as an LDAP server
> The DC MDOMAIN is advertising as having a writeable directory
> The DC MDOMAIN is advertising as a Key Distribution Center
> The DC MDOMAIN is advertising as a time server
> The DS MDOMAIN is advertising as a GC.
> ......................... MDOMAIN passed test Advertising
> Starting test: KnowsOfRoleHolders
> Role Schema Owner = CN=NTDS
> Settings,CN=MDOMAIN,CN=Servers,CN=Default-F
> irst-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
> Role Domain Owner = CN=NTDS
> Settings,CN=MDOMAIN,CN=Servers,CN=Default-F
> irst-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
> Role PDC Owner = CN=NTDS
> Settings,CN=MDOMAIN,CN=Servers,CN=Default-Firs
> t-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
> Role Rid Owner = CN=NTDS
> Settings,CN=MDOMAIN,CN=Servers,CN=Default-Firs
> t-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
> Role Infrastructure Update Owner = CN=NTDS
> Settings,CN=MDOMAIN,CN=Serve
> rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=or
> g
> ......................... MDOMAIN passed test
> KnowsOfRoleHolders
> Starting test: RidManager
> * Available RID Pool for the Domain is 6603 to 1073741823
> * mdomain.akesp.org is the RID Master
> * DsBind with RID Master was successful
> * rIDAllocationPool is 4603 to 5102
> * rIDPreviousAllocationPool is 4603 to 5102
> * rIDNextRID: 4618
> ......................... MDOMAIN passed test RidManager
> Starting test: MachineAccount
> Checking machine account for DC MDOMAIN on DC MDOMAIN.
> * SPN found :LDAP/mdomain.akesp.org/akesp.org
> * SPN found :LDAP/mdomain.akesp.org
> * SPN found :LDAP/MDOMAIN
> * SPN found :LDAP/mdomain.akesp.org/AKESP
> * SPN found
> :LDAP/0a205198-abb0-4734-83d0-0d66ac246cd1._msdcs.akesp.org
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/0a205198-abb0-4734-83
> d0-0d66ac246cd1/akesp.org
> * SPN found :HOST/mdomain.akesp.org/akesp.org
> * SPN found :HOST/mdomain.akesp.org
> * SPN found :HOST/MDOMAIN
> * SPN found :HOST/mdomain.akesp.org/AKESP
> * SPN found :GC/mdomain.akesp.org/akesp.org
> ......................... MDOMAIN passed test MachineAccount
> Starting test: Services
> * Checking Service: Dnscache
> * Checking Service: NtFrs
> * Checking Service: IsmServ
> * Checking Service: kdc
> * Checking Service: SamSs
> * Checking Service: LanmanServer
> * Checking Service: LanmanWorkstation
> * Checking Service: RpcSs
> * Checking Service: w32time
> * Checking Service: NETLOGON
> ......................... MDOMAIN passed test Services
> Test omitted by user request: OutboundSecureChannels
> Starting test: ObjectsReplicated
> MDOMAIN is in domain DC=akesp,DC=org
> Checking for CN=MDOMAIN,OU=Domain Controllers,DC=akesp,DC=org
> in
> domain
> DC=akesp,DC=org on 1 servers
> Object is up-to-date on all servers.
> Checking for CN=NTDS
> Settings,CN=MDOMAIN,CN=Servers,CN=Default-First-Si
> te-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org in domain
> CN=Configuration,DC=
> akesp,DC=org on 1 servers
> Object is up-to-date on all servers.
> ......................... MDOMAIN passed test
> ObjectsReplicated
> Starting test: frssysvol
> * The File Replication Service SYSVOL ready test
> File Replication Service's SYSVOL is ready
> ......................... MDOMAIN passed test frssysvol
> Starting test: frsevent
> * The File Replication Service Event log test
> There are warning or error events within the last 24 hours
> after
> the
> SYSVOL has been shared. Failing SYSVOL replication problems
> may
> cause
> Group Policy problems.
> An Error Event occured. EventID: 0xC00034F7
> Time Generated: 12/26/2009 14:40:15
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC00034F7
> Time Generated: 12/26/2009 15:25:20
> (Event String could not be retrieved)
> ......................... MDOMAIN failed test frsevent
> Starting test: kccevent
> * The KCC Event log test
> Found no KCC errors in Directory Service Event log in the
> last 15
> minut
> es.
> ......................... MDOMAIN passed test kccevent
> Starting test: systemlog
> * The System Event log test
> An Error Event occured. EventID: 0x00000457
> Time Generated: 12/26/2009 18:19:14
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 12/26/2009 18:19:15
> (Event String could not be retrieved)
> ......................... MDOMAIN failed test systemlog
> Test omitted by user request: VerifyReplicas
> Starting test: VerifyReferences
> The system object reference (serverReference)
> CN=MDOMAIN,OU=Domain Controllers,DC=akesp,DC=org and backlink
> on
>
> CN=MDOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configura
> t
> ion,DC=akesp,DC=org
> are correct.
> The system object reference (frsComputerReferenceBL)
> CN=MDOMAIN,CN=Domain System Volume (SYSVOL share),CN=File
> Replication S
> ervice,CN=System,DC=akesp,DC=org
> and backlink on CN=MDOMAIN,OU=Domain
> Controllers,DC=akesp,DC=org
> are
> correct.
> The system object reference (serverReferenceBL)
> CN=MDOMAIN,CN=Domain System Volume (SYSVOL share),CN=File
> Replication S
> ervice,CN=System,DC=akesp,DC=org
> and backlink on
> CN=NTDS
> Settings,CN=MDOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Si
> tes,CN=Configuration,DC=akesp,DC=org
> are correct.
> ......................... MDOMAIN passed test
> VerifyReferences
> Test omitted by user request: VerifyEnterpriseReferences
> Test omitted by user request: CheckSecurityError
> Running partition tests on : ForestDnsZones
> Starting test: CrossRefValidation
> ......................... ForestDnsZones passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... ForestDnsZones passed test
> CheckSDRefDom
> Running partition tests on : DomainDnsZones
> Starting test: CrossRefValidation
> ......................... DomainDnsZones passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... DomainDnsZones passed test
> CheckSDRefDom
> Running partition tests on : Schema
> Starting test: CrossRefValidation
> ......................... Schema passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Schema passed test CheckSDRefDom
> Running partition tests on : Configuration
> Starting test: CrossRefValidation
> ......................... Configuration passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Configuration passed test
> CheckSDRefDom
> Running partition tests on : akesp
> Starting test: CrossRefValidation
> ......................... akesp passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... akesp passed test CheckSDRefDom
> Running enterprise tests on : akesp.org
> Starting test: Intersite
> Skipping site Default-First-Site-Name, this site is outside
> the
> scope
> provided by the command line arguments provided.
> ......................... akesp.org passed test Intersite
> Starting test: FsmoCheck
> GC Name: \\mdomain.akesp.org
> Locator Flags: 0xe00003fd
> PDC Name: \\mdomain.akesp.org
> Locator Flags: 0xe00003fd
> Time Server Name: \\mdomain.akesp.org
> Locator Flags: 0xe00003fd
> Preferred Time Server Name: \\mdomain.akesp.org
> Locator Flags: 0xe00003fd
> KDC Name: \\mdomain.akesp.org
> Locator Flags: 0xe00003fd
> ......................... akesp.org passed test FsmoCheck
> Test omitted by user request: DNS
> Test omitted by user request: DNS
> thanks again .
> Faisal
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:. com...
>
>> Hello Stingray,
>>
>> How old is the snapshot you have?
>>
>> The article relies to a domain a with at least 2 DCs, where you can
>> kick out the machine with USN rollback and then cleanup AD database
>> from it. Now you can install an additional DC again.
>>
>> Is the DC also DNS server? Please post an unedited ipconfig /all from
>> it and also a dcdiag /v. If you are able to start netlogon service
>> manual clenaup AD database from all old DCs according to:
>> http://support.microsoft.com/kb/555846/en-us
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Thanks for the reply Meinolf
>>>
>>> well the Microsoft solution i was talking about is present on
>>> http://support.microsoft.com/kb/875495
>>>
>>> Well currently there is only one DC, but there were multiple some
>>> time
>>> ago
>>> before the bdc crashed and was unrecoverable may be its cause of
>>> that
>>> USN
>>> problem is coming.
>>> Anyways what if that is the case is there a way to fix this now ?
>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>>> news:. com...
>>>> Hello Stingray,
>>>>
>>>> An USN rollback occur if you have more then one DC and restore one
>>>> of it from an unsupported backup solution. So as you said there is
>>>> only one DC in the network USN rollback will not occur. The USN are
>>>> stored on the DCs and on none other machines in the domain.
>>>>
>>>> Please post the link to the article from Microsoft with the
>>>> solution you found.
>>>>
>>>> Also describe more detailed what you have done.
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> I am having serious problems here, see I have a small network & a
>>>>> single
>>>>> active directory server in a virtual server environment, now I did
>>>>> a
>>>>> mistake
>>>>> I.e restore my DC from snapshot after its windows installation got
>>>>> corrupt.
>>>>> now according to Microsoft this is not supported which I found out
>>>>> afterwards & causes a situation called USN rollback.
>>>>> & this is now causing the netlogon service to be paused after
>>>>> every
>>>>> restart
>>>>> of the server.
>>>>> How can I fix this ? the solution to this from Microsoft is to
>>>>> install
>>>>> another dC transfer DNS & server roles to that server & remove
>>>>> active
>>>>> directory from this & reinstall active directory again using
>>>>> dcpromo.
>>>>> but this is not working as soon as I do all the things according
>>>>> to
>>>>> Microsoft document steps & shutdown the old problem giving
>>>>> server,
>>>>> things
>>>>> stops working.clients cannot join domain, & no authentication
>>>>> occurs
>>>>> now I cannot get rid of the DC with USN roll back problem, and
>>>>> keep
>>>>> getting
>>>>> the pause in netlogin service.
>>>>> can anyone help me in this ?
>>>>> Happy birthday of prophet Jesus to all of you.
>>>>> regards

well i only did that for troubleshooting purpose, (old ip of BDC) anything
else you want me to do ? as i did that & still the netlogon service is
paused after startup, also windows time service is stopped have to restart
it manualy.


thanks & regards

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:. com...
> Hello Stingray,
>
> Your DC is multihomed, 2 different ip addresses which is a really bad
> configuration for a DC, remove one of them and then make sure it is also
> listed in the DNS zones only with the configured one.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Thanks for the reply Meinolf
>>
>> Well i did the restore from snapshot for about a week ago. & yes the
>> my dC is also my dns server
>>
>> here is my ipconfig /all
>>
>> Windows IP Configuration
>>
>> Host Name . . . . . . . . . . . . : mdomain
>> Primary Dns Suffix . . . . . . . : akesp.org
>> Node Type . . . . . . . . . . . . : Hybrid
>> IP Routing Enabled. . . . . . . . : No
>> WINS Proxy Enabled. . . . . . . . : No
>> DNS Suffix Search List. . . . . . : akesp.org
>> Ethernet adapter Local Area Connection 2:
>>
>> Connection-specific DNS Suffix . :
>> Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
>> Adapter
>> Physical Address. . . . . . . . . : 00-0C-29-51-6A-37
>> DHCP Enabled. . . . . . . . . . . : No
>> IP Address. . . . . . . . . . . . : 172.16.1.11
>> Subnet Mask . . . . . . . . . . . : 255.255.0.0
>> IP Address. . . . . . . . . . . . : 172.16.1.1
>> Subnet Mask . . . . . . . . . . . : 255.255.0.0
>> Default Gateway . . . . . . . . . : 172.16.1.3
>> DNS Servers . . . . . . . . . . . : 172.16.1.1
>> Primary WINS Server . . . . . . . : 172.16.1.1
>> & my dcdiag /v
>>
>> C:\Program Files\Support Tools>dcdiag /v
>>
>> Domain Controller Diagnosis
>>
>> Performing initial setup:
>> * Verifying that the local machine mdomain, is a DC.
>> * Connecting to directory service on server mdomain.
>> * Collecting site info.
>> * Identifying all servers.
>> * Identifying all NC cross-refs.
>> * Found 1 DC(s). Testing 1 of them.
>> Done gathering initial info.
>> Doing initial required tests
>>
>> Testing server: Default-First-Site-Name\MDOMAIN
>> Starting test: Connectivity
>> * Active Directory LDAP Services Check
>> * Active Directory RPC Services Check
>> ......................... MDOMAIN passed test Connectivity
>> Doing primary tests
>>
>> Testing server: Default-First-Site-Name\MDOMAIN
>> Starting test: Replications
>> * Replications Check
>> * Replication Latency Check
>> DC=ForestDnsZones,DC=akesp,DC=org
>> Latency information for 6 entries in the vector were
>> ignored.
>> 6 were retired Invocations. 0 were either:
>> read-only
>> replicas
>> and are not verifiably latent, or dc's no longer replicating this nc.
>> 0
>> had no
>> latency information (Win2K DC).
>> DC=DomainDnsZones,DC=akesp,DC=org
>> Latency information for 6 entries in the vector were
>> ignored.
>> 6 were retired Invocations. 0 were either:
>> read-only
>> replicas
>> and are not verifiably latent, or dc's no longer replicating this nc.
>> 0
>> had no
>> latency information (Win2K DC).
>> CN=Schema,CN=Configuration,DC=akesp,DC=org
>> Latency information for 7 entries in the vector were
>> ignored.
>> 7 were retired Invocations. 0 were either:
>> read-only
>> replicas
>> and are not verifiably latent, or dc's no longer replicating this nc.
>> 0
>> had no
>> latency information (Win2K DC).
>> CN=Configuration,DC=akesp,DC=org
>> Latency information for 7 entries in the vector were
>> ignored.
>> 7 were retired Invocations. 0 were either:
>> read-only
>> replicas
>> and are not verifiably latent, or dc's no longer replicating this nc.
>> 0
>> had no
>> latency information (Win2K DC).
>> DC=akesp,DC=org
>> Latency information for 7 entries in the vector were
>> ignored.
>> 7 were retired Invocations. 0 were either:
>> read-only
>> replicas
>> and are not verifiably latent, or dc's no longer replicating this nc.
>> 0
>> had no
>> latency information (Win2K DC).
>> * Replication Site Latency Check
>> ......................... MDOMAIN passed test Replications
>> Test omitted by user request: Topology
>> Test omitted by user request: CutoffServers
>> Starting test: NCSecDesc
>> * Security Permissions check for all NC's on DC MDOMAIN.
>> * Security Permissions Check for
>> DC=ForestDnsZones,DC=akesp,DC=org
>> (NDNC,Version 2)
>> * Security Permissions Check for
>> DC=DomainDnsZones,DC=akesp,DC=org
>> (NDNC,Version 2)
>> * Security Permissions Check for
>> CN=Schema,CN=Configuration,DC=akesp,DC=org
>> (Schema,Version 2)
>> * Security Permissions Check for
>> CN=Configuration,DC=akesp,DC=org
>> (Configuration,Version 2)
>> * Security Permissions Check for
>> DC=akesp,DC=org
>> (Domain,Version 2)
>> ......................... MDOMAIN passed test NCSecDesc
>> Starting test: NetLogons
>> * Network Logons Privileges Check
>> Verified share \\MDOMAIN\netlogon
>> Verified share \\MDOMAIN\sysvol
>> ......................... MDOMAIN passed test NetLogons
>> Starting test: Advertising
>> The DC MDOMAIN is advertising itself as a DC and having a DS.
>> The DC MDOMAIN is advertising as an LDAP server
>> The DC MDOMAIN is advertising as having a writeable directory
>> The DC MDOMAIN is advertising as a Key Distribution Center
>> The DC MDOMAIN is advertising as a time server
>> The DS MDOMAIN is advertising as a GC.
>> ......................... MDOMAIN passed test Advertising
>> Starting test: KnowsOfRoleHolders
>> Role Schema Owner = CN=NTDS
>> Settings,CN=MDOMAIN,CN=Servers,CN=Default-F
>> irst-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
>> Role Domain Owner = CN=NTDS
>> Settings,CN=MDOMAIN,CN=Servers,CN=Default-F
>> irst-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
>> Role PDC Owner = CN=NTDS
>> Settings,CN=MDOMAIN,CN=Servers,CN=Default-Firs
>> t-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
>> Role Rid Owner = CN=NTDS
>> Settings,CN=MDOMAIN,CN=Servers,CN=Default-Firs
>> t-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org
>> Role Infrastructure Update Owner = CN=NTDS
>> Settings,CN=MDOMAIN,CN=Serve
>> rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=akesp,DC=or
>> g
>> ......................... MDOMAIN passed test
>> KnowsOfRoleHolders
>> Starting test: RidManager
>> * Available RID Pool for the Domain is 6603 to 1073741823
>> * mdomain.akesp.org is the RID Master
>> * DsBind with RID Master was successful
>> * rIDAllocationPool is 4603 to 5102
>> * rIDPreviousAllocationPool is 4603 to 5102
>> * rIDNextRID: 4618
>> ......................... MDOMAIN passed test RidManager
>> Starting test: MachineAccount
>> Checking machine account for DC MDOMAIN on DC MDOMAIN.
>> * SPN found :LDAP/mdomain.akesp.org/akesp.org
>> * SPN found :LDAP/mdomain.akesp.org
>> * SPN found :LDAP/MDOMAIN
>> * SPN found :LDAP/mdomain.akesp.org/AKESP
>> * SPN found
>> :LDAP/0a205198-abb0-4734-83d0-0d66ac246cd1._msdcs.akesp.org
>> * SPN found
>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/0a205198-abb0-4734-83
>> d0-0d66ac246cd1/akesp.org
>> * SPN found :HOST/mdomain.akesp.org/akesp.org
>> * SPN found :HOST/mdomain.akesp.org
>> * SPN found :HOST/MDOMAIN
>> * SPN found :HOST/mdomain.akesp.org/AKESP
>> * SPN found :GC/mdomain.akesp.org/akesp.org
>> ......................... MDOMAIN passed test MachineAccount
>> Starting test: Services
>> * Checking Service: Dnscache
>> * Checking Service: NtFrs
>> * Checking Service: IsmServ
>> * Checking Service: kdc
>> * Checking Service: SamSs
>> * Checking Service: LanmanServer
>> * Checking Service: LanmanWorkstation
>> * Checking Service: RpcSs
>> * Checking Service: w32time
>> * Checking Service: NETLOGON
>> ......................... MDOMAIN passed test Services
>> Test omitted by user request: OutboundSecureChannels
>> Starting test: ObjectsReplicated
>> MDOMAIN is in domain DC=akesp,DC=org
>> Checking for CN=MDOMAIN,OU=Domain Controllers,DC=akesp,DC=org
>> in
>> domain
>> DC=akesp,DC=org on 1 servers
>> Object is up-to-date on all servers.
>> Checking for CN=NTDS
>> Settings,CN=MDOMAIN,CN=Servers,CN=Default-First-Si
>> te-Name,CN=Sites,CN=Configuration,DC=akesp,DC=org in domain
>> CN=Configuration,DC=
>> akesp,DC=org on 1 servers
>> Object is up-to-date on all servers.
>> ......................... MDOMAIN passed test
>> ObjectsReplicated
>> Starting test: frssysvol
>> * The File Replication Service SYSVOL ready test
>> File Replication Service's SYSVOL is ready
>> ......................... MDOMAIN passed test frssysvol
>> Starting test: frsevent
>> * The File Replication Service Event log test
>> There are warning or error events within the last 24 hours
>> after
>> the
>> SYSVOL has been shared. Failing SYSVOL replication problems
>> may
>> cause
>> Group Policy problems.
>> An Error Event occured. EventID: 0xC00034F7
>> Time Generated: 12/26/2009 14:40:15
>> (Event String could not be retrieved)
>> An Error Event occured. EventID: 0xC00034F7
>> Time Generated: 12/26/2009 15:25:20
>> (Event String could not be retrieved)
>> ......................... MDOMAIN failed test frsevent
>> Starting test: kccevent
>> * The KCC Event log test
>> Found no KCC errors in Directory Service Event log in the
>> last 15
>> minut
>> es.
>> ......................... MDOMAIN passed test kccevent
>> Starting test: systemlog
>> * The System Event log test
>> An Error Event occured. EventID: 0x00000457
>> Time Generated: 12/26/2009 18:19:14
>> (Event String could not be retrieved)
>> An Error Event occured. EventID: 0x00000457
>> Time Generated: 12/26/2009 18:19:15
>> (Event String could not be retrieved)
>> ......................... MDOMAIN failed test systemlog
>> Test omitted by user request: VerifyReplicas
>> Starting test: VerifyReferences
>> The system object reference (serverReference)
>> CN=MDOMAIN,OU=Domain Controllers,DC=akesp,DC=org and backlink
>> on
>>
>> CN=MDOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configura
>> t
>> ion,DC=akesp,DC=org
>> are correct.
>> The system object reference (frsComputerReferenceBL)
>> CN=MDOMAIN,CN=Domain System Volume (SYSVOL share),CN=File
>> Replication S
>> ervice,CN=System,DC=akesp,DC=org
>> and backlink on CN=MDOMAIN,OU=Domain
>> Controllers,DC=akesp,DC=org
>> are
>> correct.
>> The system object reference (serverReferenceBL)
>> CN=MDOMAIN,CN=Domain System Volume (SYSVOL share),CN=File
>> Replication S
>> ervice,CN=System,DC=akesp,DC=org
>> and backlink on
>> CN=NTDS
>> Settings,CN=MDOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Si
>> tes,CN=Configuration,DC=akesp,DC=org
>> are correct.
>> ......................... MDOMAIN passed test
>> VerifyReferences
>> Test omitted by user request: VerifyEnterpriseReferences
>> Test omitted by user request: CheckSecurityError
>> Running partition tests on : ForestDnsZones
>> Starting test: CrossRefValidation
>> ......................... ForestDnsZones passed test
>> CrossRefValidation
>> Starting test: CheckSDRefDom
>> ......................... ForestDnsZones passed test
>> CheckSDRefDom
>> Running partition tests on : DomainDnsZones
>> Starting test: CrossRefValidation
>> ......................... DomainDnsZones passed test
>> CrossRefValidation
>> Starting test: CheckSDRefDom
>> ......................... DomainDnsZones passed test
>> CheckSDRefDom
>> Running partition tests on : Schema
>> Starting test: CrossRefValidation
>> ......................... Schema passed test
>> CrossRefValidation
>> Starting test: CheckSDRefDom
>> ......................... Schema passed test CheckSDRefDom
>> Running partition tests on : Configuration
>> Starting test: CrossRefValidation
>> ......................... Configuration passed test
>> CrossRefValidation
>> Starting test: CheckSDRefDom
>> ......................... Configuration passed test
>> CheckSDRefDom
>> Running partition tests on : akesp
>> Starting test: CrossRefValidation
>> ......................... akesp passed test
>> CrossRefValidation
>> Starting test: CheckSDRefDom
>> ......................... akesp passed test CheckSDRefDom
>> Running enterprise tests on : akesp.org
>> Starting test: Intersite
>> Skipping site Default-First-Site-Name, this site is outside
>> the
>> scope
>> provided by the command line arguments provided.
>> ......................... akesp.org passed test Intersite
>> Starting test: FsmoCheck
>> GC Name: \\mdomain.akesp.org
>> Locator Flags: 0xe00003fd
>> PDC Name: \\mdomain.akesp.org
>> Locator Flags: 0xe00003fd
>> Time Server Name: \\mdomain.akesp.org
>> Locator Flags: 0xe00003fd
>> Preferred Time Server Name: \\mdomain.akesp.org
>> Locator Flags: 0xe00003fd
>> KDC Name: \\mdomain.akesp.org
>> Locator Flags: 0xe00003fd
>> ......................... akesp.org passed test FsmoCheck
>> Test omitted by user request: DNS
>> Test omitted by user request: DNS
>> thanks again .
>> Faisal
>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>> news:. com...
>>
>>> Hello Stingray,
>>>
>>> How old is the snapshot you have?
>>>
>>> The article relies to a domain a with at least 2 DCs, where you can
>>> kick out the machine with USN rollback and then cleanup AD database
>>> from it. Now you can install an additional DC again.
>>>
>>> Is the DC also DNS server? Please post an unedited ipconfig /all from
>>> it and also a dcdiag /v. If you are able to start netlogon service
>>> manual clenaup AD database from all old DCs according to:
>>> http://support.microsoft.com/kb/555846/en-us
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Thanks for the reply Meinolf
>>>>
>>>> well the Microsoft solution i was talking about is present on
>>>> http://support.microsoft.com/kb/875495
>>>>
>>>> Well currently there is only one DC, but there were multiple some
>>>> time
>>>> ago
>>>> before the bdc crashed and was unrecoverable may be its cause of
>>>> that
>>>> USN
>>>> problem is coming.
>>>> Anyways what if that is the case is there a way to fix this now ?
>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>>>> news:. com...
>>>>> Hello Stingray,
>>>>>
>>>>> An USN rollback occur if you have more then one DC and restore one
>>>>> of it from an unsupported backup solution. So as you said there is
>>>>> only one DC in the network USN rollback will not occur. The USN are
>>>>> stored on the DCs and on none other machines in the domain.
>>>>>
>>>>> Please post the link to the article from Microsoft with the
>>>>> solution you found.
>>>>>
>>>>> Also describe more detailed what you have done.
>>>>>
>>>>> Best regards
>>>>>
>>>>> Meinolf Weber
>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>> and
>>>>> confers no rights.
>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>> I am having serious problems here, see I have a small network & a
>>>>>> single
>>>>>> active directory server in a virtual server environment, now I did
>>>>>> a
>>>>>> mistake
>>>>>> I.e restore my DC from snapshot after its windows installation got
>>>>>> corrupt.
>>>>>> now according to Microsoft this is not supported which I found out
>>>>>> afterwards & causes a situation called USN rollback.
>>>>>> & this is now causing the netlogon service to be paused after
>>>>>> every
>>>>>> restart
>>>>>> of the server.
>>>>>> How can I fix this ? the solution to this from Microsoft is to
>>>>>> install
>>>>>> another dC transfer DNS & server roles to that server & remove
>>>>>> active
>>>>>> directory from this & reinstall active directory again using
>>>>>> dcpromo.
>>>>>> but this is not working as soon as I do all the things according
>>>>>> to
>>>>>> Microsoft document steps & shutdown the old problem giving
>>>>>> server,
>>>>>> things
>>>>>> stops working.clients cannot join domain, & no authentication
>>>>>> occurs
>>>>>> now I cannot get rid of the DC with USN roll back problem, and
>>>>>> keep
>>>>>> getting
>>>>>> the pause in netlogin service.
>>>>>> can anyone help me in this ?
>>>>>> Happy birthday of prophet Jesus to all of you.
>>>>>> regards
>
>

"stingray" <> wrote in message
news:...
> well i only did that for troubleshooting purpose, (old ip of BDC) anything
> else you want me to do ? as i did that & still the netlogon service is
> paused after startup, also windows time service is stopped have to restart
> it manualy.
>
>
> thanks & regards

Did you go through every folder and object in DNS and make sure the
additional IP address no longer shows up? You have to check both the
akesp.org zone and the _msdcs.akesp.org zone. Check every entry in each
zone, expanding each folder. Also check the Nameservers tab and everything
else in each zone's properties to make sure the additonal IP does not exist,
including the "A" records. If it does, delete it.

Once that is done, run:

ipconfig /all
net stop netlogon
net start netlogon

Then restart your machine to see if it still happens.

Please post any eventID# errors in any of the event logs, whether this works
or not. If it continues, I am going with what Meinolf said about the USN
rollback issue, because you used a snapshot. As pointed out, snapshots are
NOT supported, nor do they work. It is extremely difficult if not possible,
to clean up a USN rollback issue from a snapshot restoration. That's why
they are not supported.

That standing recommendation for a DC is to always perform full backups of
the system drive (C and a System State backup. They work nicely each and
everytime you need to restore.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Ace i did all that but still ....

here are some errous event log entries.

================================================== ====
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 12/27/2009
Time: 9:24:06 AM
User: NT AUTHORITY\SYSTEM
Computer: MDOMAIN
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
================================================== ================

Event Type: Error
Event Source: NTDS General
Event Category: Service Control
Event ID: 2103
Date: 12/27/2009
Time: 9:23:30 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: MDOMAIN
Description:
The Active Directory database has been restored using an unsupported
restoration procedure.

Active Directory will be unable to log on users while this condition
persists. As a result, the Net Logon service has paused.

User Action
See previous event logs for details.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

================================================== ===================
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4010
Date: 12/27/2009
Time: 9:23:32 AM
User: N/A
Computer: MDOMAIN
Description:
The DNS server was unable to create a resource record for
0a205198-abb0-4734-83d0-0d66ac246cd1._msdcs.akesp.org. in zone akesp.org.
The Active Directory definition of this resource record is corrupt or
contains an invalid DNS name. The event data contains the error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 00 00 00 {...

================================================== ========================

Event Type: Error
Event Source: NtFrs
Event Category: None
Event ID: 13559
Date: 12/27/2009
Time: 9:24:08 AM
User: N/A
Computer: MDOMAIN
Description:
The File Replication Service has detected that the replica root path has
changed from "c:\windows\sysvol\domain" to "c:\windows\sysvol\domain". If
this is an intentional move then a file with the name
NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path.
This was detected for the following replica set:
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"

Changing the replica root path is a two step process which is triggered by
the creation of the NTFRS_CMD_FILE_MOVE_ROOT file.

[1] At the first poll which will occur in 5 minutes this computer will be
deleted from the replica set.
[2] At the poll following the deletion this computer will be re-added to
the replica set with the new root path. This re-addition will trigger a full
tree sync for the replica set. At the end of the sync all the files will be
at the new location. The files may or may not be deleted from the old
location depending on whether they are needed or not.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

================================================== ================================

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 12/27/2009
Time: 9:24:15 AM
User: N/A
Computer: MDOMAIN
Description:
The Windows Time service terminated with the following error:
An attempt was made to logon, but the network logon service was not started.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

================================================== =====================================

Thanks & regards








"Ace Fekay [MCT]" <> wrote in message
news:...
> "stingray" <> wrote in message
> news:...
>> well i only did that for troubleshooting purpose, (old ip of BDC)
>> anything else you want me to do ? as i did that & still the netlogon
>> service is paused after startup, also windows time service is stopped
>> have to restart it manualy.
>>
>>
>> thanks & regards
>
> Did you go through every folder and object in DNS and make sure the
> additional IP address no longer shows up? You have to check both the
> akesp.org zone and the _msdcs.akesp.org zone. Check every entry in each
> zone, expanding each folder. Also check the Nameservers tab and everything
> else in each zone's properties to make sure the additonal IP does not
> exist, including the "A" records. If it does, delete it.
>
> Once that is done, run:
>
> ipconfig /all
> net stop netlogon
> net start netlogon
>
> Then restart your machine to see if it still happens.
>
> Please post any eventID# errors in any of the event logs, whether this
> works or not. If it continues, I am going with what Meinolf said about the
> USN rollback issue, because you used a snapshot. As pointed out, snapshots
> are NOT supported, nor do they work. It is extremely difficult if not
> possible, to clean up a USN rollback issue from a snapshot restoration.
> That's why they are not supported.
>
> That standing recommendation for a DC is to always perform full backups of
> the system drive (C and a System State backup. They work nicely each and
> everytime you need to restore.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>

Hello Stingray,

Adding the other DCs ip address will not help for whatever reason you thought
about.

As stated in Event ID: 2103 the stopped netlogon states to the unsupported
way of restore. So as you have only one DC i see not a way to restore the
domain.

Basically adding a DC to the domain when the problem exists will not help
as you copy the existing AD database with the problem to the new server.

For the event id 13559 see this articles, maybe they help you:
http://support.microsoft.com/kb/819268

http://support.microsoft.com/kb/887440

In my opinion the best option is to start from scratch with the domain and
make a new one with 2 DC/DNS/GC as recommended for failover and redundancy.

Maybe you can create a trust to anew installed domain with different domain
name and use ADMT to migrate the existing accounts and computers, but as
there is this critical situation i am not sure if this will work.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ace i did all that but still ....
>
> here are some errous event log entries.
>
> ================================================== ====
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1030
> Date: 12/27/2009
> Time: 9:24:06 AM
> User: NT AUTHORITY\SYSTEM
> Computer: MDOMAIN
> Description:
> Windows cannot query for the list of Group Policy objects. Check the
> event
> log for possible messages previously logged by the policy engine that
> describes the reason for this.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> ================================================== ================
>
> Event Type: Error
> Event Source: NTDS General
> Event Category: Service Control
> Event ID: 2103
> Date: 12/27/2009
> Time: 9:23:30 AM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: MDOMAIN
> Description:
> The Active Directory database has been restored using an unsupported
> restoration procedure.
> Active Directory will be unable to log on users while this condition
> persists. As a result, the Net Logon service has paused.
>
> User Action
> See previous event logs for details.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> ================================================== ===================
> Event Type: Error
> Event Source: DNS
> Event Category: None
> Event ID: 4010
> Date: 12/27/2009
> Time: 9:23:32 AM
> User: N/A
> Computer: MDOMAIN
> Description:
> The DNS server was unable to create a resource record for
> 0a205198-abb0-4734-83d0-0d66ac246cd1._msdcs.akesp.org. in zone
> akesp.org.
> The Active Directory definition of this resource record is corrupt or
> contains an invalid DNS name. The event data contains the error.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 7b 00 00 00 {...
> ================================================== ====================
> ====
>
> Event Type: Error
> Event Source: NtFrs
> Event Category: None
> Event ID: 13559
> Date: 12/27/2009
> Time: 9:24:08 AM
> User: N/A
> Computer: MDOMAIN
> Description:
> The File Replication Service has detected that the replica root path
> has
> changed from "c:\windows\sysvol\domain" to "c:\windows\sysvol\domain".
> If
> this is an intentional move then a file with the name
> NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path.
> This was detected for the following replica set:
> "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
> Changing the replica root path is a two step process which is
> triggered by the creation of the NTFRS_CMD_FILE_MOVE_ROOT file.
>
> [1] At the first poll which will occur in 5 minutes this computer
> will be
> deleted from the replica set.
> [2] At the poll following the deletion this computer will be re-added
> to
> the replica set with the new root path. This re-addition will trigger
> a full
> tree sync for the replica set. At the end of the sync all the files
> will be at the new location. The files may or may not be deleted from
> the old location depending on whether they are needed or not.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> ================================================== ====================
> ============
>
> Event Type: Error
> Event Source: Service Control Manager
> Event Category: None
> Event ID: 7023
> Date: 12/27/2009
> Time: 9:24:15 AM
> User: N/A
> Computer: MDOMAIN
> Description:
> The Windows Time service terminated with the following error:
> An attempt was made to logon, but the network logon service was not
> started.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> ================================================== ====================
> =================
>
> Thanks & regards
>
> "Ace Fekay [MCT]" <> wrote in message
> news:...
>
>> "stingray" <> wrote in message
>> news:...
>>
>>> well i only did that for troubleshooting purpose, (old ip of BDC)
>>> anything else you want me to do ? as i did that & still the netlogon
>>> service is paused after startup, also windows time service is
>>> stopped have to restart it manualy.
>>>
>>> thanks & regards
>>>
>> Did you go through every folder and object in DNS and make sure the
>> additional IP address no longer shows up? You have to check both the
>> akesp.org zone and the _msdcs.akesp.org zone. Check every entry in
>> each zone, expanding each folder. Also check the Nameservers tab and
>> everything else in each zone's properties to make sure the additonal
>> IP does not exist, including the "A" records. If it does, delete it.
>>
>> Once that is done, run:
>>
>> ipconfig /all
>> net stop netlogon
>> net start netlogon
>> Then restart your machine to see if it still happens.
>>
>> Please post any eventID# errors in any of the event logs, whether
>> this works or not. If it continues, I am going with what Meinolf said
>> about the USN rollback issue, because you used a snapshot. As pointed
>> out, snapshots are NOT supported, nor do they work. It is extremely
>> difficult if not possible, to clean up a USN rollback issue from a
>> snapshot restoration. That's why they are not supported.
>>
>> That standing recommendation for a DC is to always perform full
>> backups of the system drive (C and a System State backup. They work
>> nicely each and everytime you need to restore.
>>
>> -- Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among responding engineers, and to help others benefit from your
>> resolution.
>>
>> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
>> MCSA
>> 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> For urgent issues, please contact Microsoft PSS directly. Please
>> check http://support.microsoft.com for regional support phone
>> numbers.
>>