RID,PDC,Infrastructure operation masters states ERROR - operations master currently offline

Discussion in 'Active Directory' started by Alan Drown, Mar 8, 2005.

  1. Alan Drown

    Alan Drown Guest

    Hi all,

    I have a small network with 2 windows 2003 domain controllers.

    If I open up the ADUC MMC and look at the operation masters, The RID,PDC
    and Infrastructure roles indicate ERROR rather than name of the DC with
    that role. It indicates this when I look at this from either DC.

    In the event log on both Domain controllers there are event 5719's at 4 hour
    intervals every day. No other times except these 4 hour intervals.
    They're staggered by 2 hours on each Domain controller- i.e DC1 at 430pm,
    830pm, while DC2 is 630pm, 1030pm.

    So it appears that the Domain Controllers are not communicating though I
    have no other connectivity issues between these two systems. I can manage
    either DC from within the ADUC MMC on either DC. Shares show up on both DC's
    from either DC.

    Any clues on what the problem is or how to best troubleshoot this?

    The Domain functional level indicates its running in Windows 2000 native
    The Forest functional level states Windows 2000

    One other point of interest:
    DC1 is acting as a secondary rather than a primary DNS server
    The primary is a Linux box. DNS appears to be functioning just fine but
    could this be the problem?

    I have no problems making DC1 the primary DNS I'm just a little leary about
    the consequences.
    would I just delete the secondary zone and recreate it as a primary zone?

    I'd hate to cause more problems, specifically log in problems which I dont
    have right now.
    Other than the fact that neither DC knows who the RID,PDC and infrastructure
    master are, I dont see any issues.
    But, I'm getting ready to add an Exchange server and I'd like to clear these
    errors up before I do.

    Any help from you gurus out ther would be very much appreciated!

    Alan Drown, Mar 8, 2005
    1. Advertisements

  2. Alan Drown

    Alan Drown Guest

    Pardon me if I'm out of line but is there a particular reason no one is
    chiming in here?
    Is this too hard or too stupid a post?

    This is the second post I've made to this group and gotten no responses.
    I thought that these groups were monitored by Microsoft as well?
    At least, that's what my Technet Subcription states is one of the
    Alan Drown, Mar 9, 2005
    1. Advertisements

  3. Alan Drown

    Chad A. Lacy Guest


    Did you ever have another domain controller in this environment? I'm
    concerned that neither server knows who the RID, PDC, and Infrastructure
    Master is. If you aren't seeing any replication errors, then I would suggest
    that you seize these roles to one of the domain controllers. It appears like
    you had a DC in this environment that mgiht have held these roles and that
    server went away without notifying the other DC's that it was going away.
    This would be the same situation if you simply rebuilt one of the existing
    DC's without first letting the other DC know that it was going away.

    Anyways, to seize the FSMO roles, follow this article:


    Once the roles are seized to one of hte DC's and you truely aren't having
    any communication issues between the two DC's, both DC's should see who the
    FSMO role holders are.

    As to your question about hosting DNS. That is particularly a preference
    question. Your Linux server should be able to handle the DNS function just
    fine. I personally prefer to have a Windows machine host my DNS because of
    the Active Directory integrated features that the Windows OS brings to DNS.
    It just makes managing DNS much easier.
    Chad A. Lacy, Mar 9, 2005
  4. Alan Drown

    Alan Drown Guest

    Hi Chad,

    thanks very much for your reply.

    I've inherited this setup but I believe there have been only the 2 DC's.

    It's a relatively new network.

    I dont see any other errors indicating that there is a problem between the 2
    users have no problems logging in to the the Domain and I've added numerous
    computers to the domain without any problem.
    I dont see any errors indicating that there is file replication issues other
    than the ones I described that are present on both DC's at 4 hour intervals.
    Is there some diags I should run to determine that they are truly talking to
    each other before I try to seize the roles?
    Could attempting to seize the roles cause other serious problems if they are
    having communcation problems?

    I found out a littl more info that could be significant.

    For some reason the DNS forward zone , on the DC that was the GC , was set
    as a primary AD integrated and the Reverse lookup zone was set up as a
    secondary to the Linux box.
    the zone files had varied information in them.

    They couldnt seem to change the primary to a secondary so they just deleted
    it and recreated it, which didnt seem to cause any problems.Is this a bad
    thing? deleting the primary zone file on the AD server and recreating the
    zone file as a secondary?
    I'm wondering if the errors in the event log on both DC's started around
    that time or not....
    I'll take a look and see if I they started around the time this was done.
    All the appropriate SRV RR appear to have been recreated on AD controller
    that is now setup as a secondary DNS server.

    I'm not certain why they have a linux box as a DNS server. I think it was
    pre AD controllers.
    I want to get rid of the Linux DNS server and make the AD controller a
    primary DNS server setup integrated with AD.

    Can I simply delete and recreate the DNS forward zone on the AD controller
    or is there a process I should follow to accomplish this?

    thanks again for your response. I appreciate it.

    Alan Drown, Mar 10, 2005
  5. Alan Drown

    ptwilliams Guest

    Sounds like you've got big DNS issues. These are probably the cause of all
    your issues.

    So, lets fix DNS...

    You want to get rid of the UNIX box. Good. That simplifies things. Try
    the following:

    Delete the DNS zones on both DCs. On one of the DCs, create a new Primary
    Forward lookup zone. Ensure it's set to accept automatic updates. Point
    both DCs at this DNS server only in the TCP/IP settings. Ensure that the
    DHCP Client service is set to automatically start and is running on both DCs
    (even though they've got static IP addresses) and restart netlogon on both
    DCs. For good measure, run the following command on both DCs too:

    ipconfig /registerdns

    Now, change the Primary zone to be AD-Integrated, and either allow for
    replication or force replication using replmon (support tools) or

    Once everything has replicated, if you load the DNS snap-in on the DC that
    is not being pointed to for DNS, you should see the DNS zone present. If
    so, great!!!

    Once you've done this, run the following command on both DCs and post the
    results here (if they're negative):

    netdiag /test:dns

    If these machines reside in the same site, leave them both pointing at the
    one DC for DNS, and configure the secondary/ second DNS server in TCP/IP
    properties to point to the other. If they're in different sites, change it
    so they both point to themselves first and each other second.

    Once DNS is sorted, we can start looking at the OM issue...


    Paul Williams

    ptwilliams, Mar 10, 2005
  6. Alan Drown

    Alan Drown Guest

    Paul, thanks for your reply. Very much appreciated.

    I'll be working on this later today and let you know how it goes.

    Alan Drown, Mar 10, 2005
  7. Alan Drown

    Alan Drown Guest


    Here's the order of things I did:

    deleted the secondary forward lookup zone.
    - recreated the forward lookup zone with the same name as the company domain
    I also had it be active directory integrated accepting secure dynamic
    updates right from the beginning rather than the way you recommended. would
    this be a problem? When I tried setting up a primary zone that was not
    active directory integrated I saw no way to upgrade it after the fact.

    - reconfigured IP settings for each domain controller to poing to the newly
    create primiary DNS server on DC1
    - restarted netlogin service on each domain controller (in each event log
    there are nelogon event id 3096 indicating that it could not find the
    primary Domain Controller for this domain (just like this. no capital on the
    primary and capitals on Domain Controller) this is probably related to the
    fact that neither DC knows who the OM's are still ?
    -ran ipconfig /registerdns on both DC's

    -ran replmon and forced a replication. - seemed to take fine with no errors

    I also deleted the reverse lookup zone for the subnet because it was set as
    secondary and then recreated it.

    I dont quite understand the dns snap in piece asked me to do. The second DC
    was/is not a DNS server so it doesnt have the dns snap-in loaded by default.
    I tried to start up an MMC and load the dns snapping but it wasnt around. So
    I installed DNS and didnt configure it.
    Now I have the DNS console. I dont see anything unless I actually point the
    snap in at waikiki and then see the zones. Is this what you meant?
    on another note: should I make this DC a DNS server? I thought I read
    something to the effect that DNS replication would be handled by AD now so I
    wouldnt have to make this system a secondary? Am I confused>? Could you shed
    a little light on this?

    - I rand netdiag /test:dns on both systems and had no errors


    So, both DC's stil show ERROR for RID,PDC and Infrastructure roles.
    What's the least painfull and most efficient way to get this resolved?
    Should I go ahead and seize roles on the DC1 ( the GC)?

    thanks again for all your assistance Chad and Paul!


    Alan Drown, Mar 11, 2005
  8. Alan Drown

    ptwilliams Guest

    Because you've made your DNS zone AD-Integrated, and have now installed the
    DNS service on the second DC this DC, upon replicating, will contain the DNS
    zone too. You'll need to restart the zone to get it to load. Once this is
    done, both DCs are DNS servers. Good!

    dcdiag and netdiag passing is good. This means that 999/1000 DNS is OK!

    Onto the FSMO roles.

    You need to seize the roles using ntdsutil. There are several KBs on how to
    do this.

    Seize to one of the DCs, and for good measure restart netlogon after you've
    done so. Then replicate again.

    Once replication has worked, run dcdiag and netdiag on both DCs again.


    Paul Williams

    ptwilliams, Mar 11, 2005
  9. Alan Drown

    Todd J Heron Guest

    Todd J Heron, Mar 11, 2005
  10. Alan Drown

    Alan Drown Guest

    Hi Paul,

    thanks for your continued responses!

    when opening up the DNS MMC there is nothing listed there.
    When I installed DNS on the second DC , it automatically started the wizard
    to create a zone and gave me the choice of AD integrated at the Forest or
    Domain level and all the basic options. I was uncertain what to do at this
    point so I canceled the install.
    I dont think I should have done that but I was confused and didnt want to
    end up installing another DNS server as primary.
    What should I have done at this point?
    Should I have installed just like I did on DC1 and select integrated with AD
    and they would have worked out who was primary and who was secondary


    I went ahead and seized the roles using ntdsutil and during the process it
    indicated that there WAS INDEED a DC that was yanked out of the Domain that
    had those roles. I asked the client and they said "Oh yeah, forgot about
    that one!"...

    thanks again.

    What should I have done at this poing
    Alan Drown, Mar 12, 2005
  11. Alan Drown

    Alan Drown Guest

    Thanks Todd!

    Alan Drown, Mar 12, 2005
  12. Alan Drown

    ptwilliams Guest

    thanks for your continued responses!

    You should be able to install DNS and, if prompted to do so, just not run
    the setup a zone wizard. You install DNS via Add/ Remove programs\ Windows
    components. However, if you can open the snap-in then it's already on
    there. So, load the DNS Snap-in (dnsmgmt.msc) and right-click on the sever.
    Look for the option that dictates where zone information is loaded from at
    startup. You want Active Directory and Registry.

    Once DNS is installed, and the load info. set, restart the DNS Server
    service. If this doesn't pull the zone, you've got to check it's
    replicated. Depending on the version of Windows and the type of DNS zone
    this can reside in a different place. Try the above first, and lets see
    what happens.

    If in doubt...reboot ;-)

    Typical!! ;-)

    Removing that sucka!!! Here's the KB. Follow it to the letter. Remember
    that you bind to an existing (working) DC and remove the dead one.
    -- http://support.microsoft.com/kb/216498


    Paul Williams

    ptwilliams, Mar 14, 2005
  13. Alan Drown

    Alan Drown Guest

    Thanks Paul, apprecaite it.
    thanks Chad, as well!

    DNS appears to be working and I dont have any of the netlogin errors showing
    up on the DC's any longer! Yeah!
    So, is there such thing as a primary and secondary DNS server in my current
    Active Directory enable DNS setup?

    The only DNS server listed in DHCP is the IP address of DC1. If DC1 goes
    down, how will clients know to go to DC2 for DNS?
    should I provide DC2's IP address within DHCP?

    tx again for all your help

    Alan Drown, Mar 14, 2005
  14. Alan Drown

    ptwilliams Guest

    Yes, this is a major area where people loose their hair!! ;-)

    You have to provide all clients with *at least* two DNS servers. Else, if
    the first is down, they cannot locate the domain...

    In an AD-Integrated environment, all DNS servers are 'Primary'. It works in
    the multi-master fashion that the rest of AD works in.

    Glad you got it sorted.

    All the best.


    Paul Williams

    ptwilliams, Mar 15, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.