Cannot locate Global Catalog server error 1355 from dcdiag

Discussion in 'Windows Small Business Server' started by George, Sep 15, 2009.

  1. George

    George Guest

    Hello,

    I'm running Windows SBS 2003 SP2. This is the only server up and running in
    my domain. This morning users reported slow login times. The application
    log shows two errors every 5 minutes:

    event ID 1006
    Windows cannot bind to mydomain domain. (Local Error). Group Policy
    processing aborted.

    and

    event ID 1030
    Windows cannot query for the list of Group Policy objects. Check the event
    log for possible messages previously logged by the policy engine that
    describes the reason for this.

    I also have this error once in the system log:

    event ID 16645
    The maximum account identifier allocated to this domain controller has been
    assigned. The domain controller has failed to obtain a new identifier pool. A
    possible reason for this is that the domain controller has been unable to
    contact the master domain controller. Account creation on this controller
    will fail until a new pool has been allocated. There may be network or
    connectivity problems in the domain, or the master domain controller may be
    offline or missing from the domain. Verify that the master domain controller
    is running and connected to the domain.

    At 4:30am my time I had the 16645, the other two started appearing two
    minutes later and are still appearing every 5 minutes.

    I ran dcdiag and saw this in the output:

    Starting test: FsmoCheck

    Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
    A Global Catalog Server could not be located - All GC's are down.

    Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
    A Primary Domain Controller could not be located.

    The server holding the PDC role is down.
    Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

    A Time Server could not be located.
    The server holding the PDC role is down.
    Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355

    A KDC could not be located - All the KDCs are down.
    ......................... mydomain failed test FsmoCheck

    I am now wondering what course of action I should take. I have backups of
    the system state but I'm wondering if there's something else I could to to
    fix this. I don't even know how it might have happened as I've made no
    changes on the server.

    I've tried restarting the DNS server service and the netlogon service, no
    good. I can also access \\myserver\netlogon and \\myserver\sysvol

    Seems to me that something's going on with the Global Catalog role?

    Any help is appreciated.
     
    George, Sep 15, 2009
    #1
    1. Advertisements


  2. Hello George,

    To better diagnose this, post an ipconfig /all of the SBS server. This will
    help evaluate the configuration, taking into account the event log errors
    you posted, in order to provide specific suggestions.

    Can you recall what occurred prior to this happening? Were there any
    application installs, hotfix or updates installed, something changed, etc?

    Are there any antivirus or security apps installed? Is ISA involved and the
    firewall client possibly installed on the DCs?

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Sep 15, 2009
    #2
    1. Advertisements

  3. George

    George Guest

    As it turns out, I just found the solution, it's here:

    http://support.microsoft.com/kb/839879

    I inherited this configuration. Turns out the server with the problem is
    Windows SBS 2003 that was at one point replicating with a Windows 2003
    Standard Edition Domain Controller. I was under the impression that SBS has
    only one DC that has all the FSMO roles?

    Anyway, I still had the Standard Edition server and I started dcpromo on it
    and sure enough, dcpromo said this was a domain controller.

    After I deleted the replication links as per the article, the problme
    disappeared right away.

    However, I'm still left with this second server as a DC in my AD of the
    Windows SBS 2003.
     
    George, Sep 15, 2009
    #3
  4. Yes, you can install additional DCs in an SBS domain, but the SBS would hold
    all the FSMO roles. If there are additional DCs, they should all be GCs, as
    well.

    The allocation error is a RID Pool error indicating the RID Master (one of
    the FSMOs) is not available to refresh the next block of 500 RIDs that are
    used whenever a new object in the domain is created (users, computers, etc).

    I'm a little confused. You said you there was an additional DC in the
    domain, but it's no longer there or is it there? So you now have two DCs,
    the SBS and a Windows 2003 Std Edtion as a current DC?

    Was there a DC that was simply unplugged prior to this?

    If you have two (SBS and the other one), are they both GCs?
    Do they both have DNS installed?

    Can you post an ipconfig /all from both, please?

    Thanks,
    Ace
     
    Ace Fekay [MCT], Sep 15, 2009
    #4
  5. George

    George Guest

    The situation is as follows:

    server alfa is the SBS DC
    server beta is the Std Edition DC

    Beta was taken off the network 10 months ago and has been off alfa's network
    since then. However I have console access to beta even though it's not on
    alfa's network anymore.

    How can I tell if a DC is a GC? I opened up AD Sites and Services and
    expanded each server. Under General tab of properties for NTDS settings, I
    see that Global Catalog is checked for each server.

    They both have DNS on them, alfa the master, beta the slave. The DNS is AD
    integrated.

    Here are the ipconfig /all (sanitized):

    alfa

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : alfa
    Primary Dns Suffix . . . . . . . : mydomain.com
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : mydomain.com

    Ethernet adapter Server Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection
    Physical Address. . . . . . . . . : 00-00-00-00-00-00
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.10.9.30
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.10.9.2
    DNS Servers . . . . . . . . . . . : 10.10.9.30
    my_ISP_DNS_IP
    Primary WINS Server . . . . . . . : 10.10.9.30


    beta

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : beta
    Primary Dns Suffix . . . . . . . : mydomain.com
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : mydomain.com

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC
    (3C90
    5B-TX)
    Physical Address. . . . . . . . . : 00-00-00-00-00-00
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.10.9.10
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.10.9.2
    DNS Servers . . . . . . . . . . . : 10.10.9.10
     
    George, Sep 15, 2009
    #5
  6. Thank you for posting the ipconfigs, and in a safe manner!

    First thing I see is you are using your ISP's DNS. Let's remove that. For
    AD, you must only use the internal DNS, and in this case, it's your SBS, on
    both interfaces. Configure a Forwarder to that ISP DNS. That's done in DNS
    properties, Forwarders tab. If you try to configure a Forwarder, yet the
    Forwarding option is grayed out, delete the Root zone (the zone actually
    looks like the period at the end of a sentence). The following link will
    show you how.

    323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003 :
    http://support.microsoft.com/?id=323380Check out the following to show how,
    if not sure:

    Back to the DCs...

    That's exactly where to tell if a DC is in Sites and Services - click on the
    respective server, choose properties of NTDS.

    However....

    Since beta was off the wire and the SBS was never able to replicate to it
    for 10 months, it has passed the tombstone lifetime (for 2003, that would
    have been 180 days) of all AD objects (users, computers, DCs, etc).
    Therefore beta can no longer (never) be plugged back into the network. You
    have to simply rebuild it if you want to use it again.

    Now you must remove beta's reference from AD on alfa. To do that, you would
    need to run a Metadata Cleanup procedure, then delete it's reference in
    Sites and service under Server objects. Follow the proc in the following
    link.

    How to remove data in Active Directory after an unsuccessful domain
    controller demotion (Metadata cleanup):
    http://support.microsoft.com/kb/216498

    After you've ran the cleanup process and deleted its server object in Sites
    and Services, run the following to make sure things are cleaned up and ok.
    netdiag /v /fix
    dcdiag /v /fix
    Report any errors.

    Sorry to be the bearer of this bad news, this is one of the stipulations of
    AD, SBS or not. Once a DC is a DC, it's like a symbiant, you can't simply
    unplug it. If a DC was not wanted any longer, you would simply run dcpromo
    to demote it. It can't be simply unplugged, or the remaining DC that is
    plugged in will keep crying for its partner. The only way out is to run the
    cleanup process on the remaining DC.

    If you had transferred any FSMO roles (which is not advised with SBS), they
    would now have to be 'seize' to the existing DC, but I don't think you did
    that. Run the following to make sure that all the FSMOs are still on the
    SBS:

    netdom query fsmo

    If anyone one of the show elsewhere, they would need to be seized back.

    Ace
     
    Ace Fekay [MCT], Sep 15, 2009
    #6
  7. George

    George Guest

    Thanks for the quick and thorough reply. Tomorrow I'll have a look at
    setting up the DNS forwarding. I ran netdom query fsmo on alfa and got this
    so I think alfa's got everything it needs:

    Schema owner alfa.mydomain.com

    Domain role owner alfa.mydomain.com

    PDC role alfa.mydomain.com

    RID pool manager alfa.mydomain.com

    Infrastructure owner alfa.mydomain.com

    The command completed successfully.

    Too bad I didn't know about that command before I deleted the replication
    links between alfa and beta, would have liked to have seen that output. I
    can live with having to rebuild beta if we want to use it as another DC.

    Would it be enough to have a backup of alfa's System State for restoring AD
    on alfa in the event the AD cleanup of beta on alfa went wrong?

    How to remove data in Active Directory after an unsuccessful domain
    controller demotion (Metadata cleanup):
    http://support.microsoft.com/kb/216498
     
    George, Sep 15, 2009
    #7
  8. That's a good thought. I usually recommend a backup prior to any changes,
    System state AND a full C: backup (if that's where Windows and Sysvol and
    NTDS folders are installed).

    It would be easier to rebuild beta. But remember, save any data on it before
    wiping it clean.

    Ace
     
    Ace Fekay [MCT], Sep 15, 2009
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.