| Author |
 Topic  |
|
|
Rastor728
Old Timer
USA
736 Posts
Status: offline |
 Posted - 04/10/2009 : 3:35:16 PM
|
I have one last error message to clear up, does anyone have a starting point?
Thanks again for all the help!!
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1801
Date: 4/10/2009
Time: 11:57:47 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: XXXX
Description:
The partition DC=DomainDnsZones,DC=XXXX should be hosted at site CN=MainCampus,CN=Sites,CN=Configuration,DC=XXXX, but has not been instantiated yet. However, the KCC could not find any hosts from which to replicate this partition.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
|
What would Clark Kent do to someone who stole his identity? |
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/10/2009 : 3:47:36 PM
|
That's an interesting one. I'd love to have a look at your system to see what is going on. It looks like you have created a DNS zone that was removed again before it had a chance to replicate.
How do your DNS zones look like. Do you have any in the domain DC=XXXX with the replication scope "all DNS servers in the domain"? |
Make it as simple as you can, but not simpler -- Albert Einstein |
 |
|
|
Rastor728
Old Timer
USA
736 Posts
Status: offline |
Posted - 04/10/2009 : 4:03:30 PM
|
| Nope, only one zone that is configured to replicate to "All domain controllers in the Active Directory domain".... |
What would Clark Kent do to someone who stole his identity? |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/10/2009 : 4:25:24 PM
|
Right. If you are really sure about that I have a solution for you. Warning: if you do have a scope with "all DNS servers in the domain", it will be destroyed after this.
I think you have an object that defines the existence of the DNS partition: a crossref object. Here is how to get rid of it. (again, remove the wrong one and your AD might be dead):
- open adsiedit, using an Enterprise Admin account
- open the Configuration container.
- browse to CN=Partitions
- look for an object where the Directory Partition Name (second column in adsiedit) is like this: DC=DomainDnsZones,DC=XXXX (don't pick the wrong one)
- remove it.
If this doesn't work for some reason we need to resort to ntdsutil. Let me know. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Rastor728
Old Timer
USA
736 Posts
Status: offline |
Posted - 04/10/2009 : 4:41:03 PM
|
With the "threat" of killing AD, I have the following partion names to "double check. What exactly with removing this first item do?
DC=DomainDNSZones, DC=XXXX
DC=ForestDnsZones, DC=XXXX
CN=Schema, CN=Configuration, DC=XXXX
DC=XXXX |
What would Clark Kent do to someone who stole his identity? |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/10/2009 : 4:55:37 PM
|
These crossRef objects define the existence of the partitions in your forest: your domain, the schema, the config partition (which I don't see in this list?!), and the DNS partitions.
If you remove a crossRef, you effectively make the partition unusable. The good news is, you can restore it from a systemstate backup -- which you have of course ;-)
In this case, the DomainDNSZones partition does not really exist. You have no DC's that host it. The crossRef is an empty placeholder. Come to think of it, there is a way to test it. Open the crossRef object for the DomainDNSZOnes, and look at the attribute msDS-NC-Replica-Locations. It should be _empty_ in your case, or at worst contain a non-existing DC. If it's not empty then don't delete it and go troubleshoot the DC's it lists. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/10/2009 : 4:58:44 PM
|
| This why I'd like to have my hands on the system. Trying to think of all these things without having a console is tricky. I need to go now, and will check back tomorrow same time (10 PM my time). |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Rastor728
Old Timer
USA
736 Posts
Status: offline |
Posted - 04/10/2009 : 5:02:03 PM
|
It actually lists my two domain controllers in that,thanks for the help.
I won't be back at work (hopefully) until Monday..It looks like you are 10 hours ahead of me ( 2PM here) so I'll check back later.
Thanks again for all the help. With your input, I have already made great leaps at repairing and stabilizing this domain. |
What would Clark Kent do to someone who stole his identity? |
Edited by - Rastor728 on 04/10/2009 5:04:07 PM |
|
|
|
aval
Honorable But Hopeless Addict
USA
3276 Posts
Status: offline |
Posted - 04/10/2009 : 6:47:42 PM
|
quote:
This why I'd like to have my hands on the system.
Not an opportunity to miss - Willem was kind enough to do this for me once and it really cleared things up - even if it was a test setup in my case. |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/11/2009 : 3:21:41 PM
|
> actually lists my two domain controllers in that
Interesting... are these live DC's? If not, we should do a metadata cleanup to get rid of them. If they do exist, does either one actually host the DC=DomainDNSZones partition? One way of checking that is to point adsiedit at that DC, and try to open the partion using the full DN: DC=DomainDNSZones,DC=XXXX.
|
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
don2007
Honorable But Hopeless Addict
1975 Posts
Status: offline |
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/12/2009 : 11:45:23 AM
|
| Yes, looks like the same thing. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Rastor728
Old Timer
USA
736 Posts
Status: offline |
Posted - 04/13/2009 : 11:29:32 AM
|
quote:
Originally posted by wkasdo
> actually lists my two domain controllers in that
Interesting... are these live DC's? If not, we should do a metadata cleanup to get rid of them. If they do exist, does either one actually host the DC=DomainDNSZones partition? One way of checking that is to point adsiedit at that DC, and try to open the partion using the full DN: DC=DomainDNSZones,DC=XXXX.
Yes, the are my two domain controllers.... |
What would Clark Kent do to someone who stole his identity? |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/13/2009 : 4:27:26 PM
|
I cannot quite picture how to get the system in this state, but the solution is to use ntdsutil to perform a metadata cleanup on DC=DomainDNSzones,DC=XXXX. Pick a DC holding that partition to remove it (assuming DC1)
command prompt, start ntdsutil.
ntdsutil: domain management
ntdsutil: connections
ntdsutil: connect to server DC1
ntdsutil: q
ntdsutil: list (full list of all partitions on that DC, for good luck)
ntdsutil: delete NC DC=dnsDomainZones,DC=XXX
etc. This will remove all references to that partition. (did I mention to make sure that the DNS zones corresponding to these partitions really are not used ;-)
|
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Rastor728
Old Timer
USA
736 Posts
Status: offline |
Posted - 04/13/2009 : 6:07:46 PM
|
quote:
Originally posted by wkasdo
I cannot quite picture how to get the system in this state, but the solution is to use ntdsutil to perform a metadata cleanup on DC=DomainDNSzones,DC=XXXX. Pick a DC holding that partition to remove it (assuming DC1)
command prompt, start ntdsutil.
ntdsutil: domain management
ntdsutil: connections
ntdsutil: connect to server DC1
ntdsutil: q
ntdsutil: list (full list of all partitions on that DC, for good luck)
ntdsutil: delete NC DC=dnsDomainZones,DC=XXX
etc. This will remove all references to that partition. (did I mention to make sure that the DNS zones corresponding to these partitions really are not used ;-)
Will this cause any immediate effect to my network DNS resolutions? This is a 24/7 Medical Hospital with these problems, I have to be REAL sure this doesn't cause ANY unscheduled disruptions in service and connectivity.
I am worried that I'll delete the partitions, and then the "recreate" will fail for some other reason and then our network would be "down", and I would be out....
Thanks for your help, I just have to make sure nothing goes too wrong while I am cleaning up these problems left behind from the previously FIRED tech team that I have been hired to clean up after. (I didn't know they were fired, or they had these problems before I was hired, and can't afford to be the next "fired guy"...lol) |
What would Clark Kent do to someone who stole his identity? |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/14/2009 : 4:18:25 PM
|
I understand you perfectly. If this partition is a "ghost", as the error indicates, nothing will change from the DNS perspective. To doublecheck, you have several ways to check that the partition is indeed unused.
1. try to open it in adsiedit (see several posts back). If it opens, it exists. If it does, explore it to see what zones it hosts.
2. open a DNS console for one of these DC's you found in the crossRef, and inspect all zones (including reverse!). If one of them has replication scope "all DNS servers in the domain", the partition exists.
(edit: typo) |
Make it as simple as you can, but not simpler -- Albert Einstein |
Edited by - wkasdo on 04/14/2009 4:19:27 PM |
|
|
|
Rastor728
Old Timer
USA
736 Posts
Status: offline |
Posted - 04/15/2009 : 12:10:05 PM
|
quote:
Originally posted by wkasdo
I understand you perfectly. If this partition is a "ghost", as the error indicates, nothing will change from the DNS perspective. To doublecheck, you have several ways to check that the partition is indeed unused.
1. try to open it in adsiedit (see several posts back). If it opens, it exists. If it does, explore it to see what zones it hosts.
2. open a DNS console for one of these DC's you found in the crossRef, and inspect all zones (including reverse!). If one of them has replication scope "all DNS servers in the domain", the partition exists.
(edit: typo)
re Step 1: does list both of my only two Domain Controllers in the DC=DomainDnsZOnes,C=MGH
re Step 2: all of my zones, including revers has replication selected to "all domain controllers in Active Directory domain".
What looks like the problem you describe is confusing. None of the DNS zones is set to replicate to DNS Servers in the Domain (that doesn't mean they weren't at sometime in the past) BUT ADSIEdit shows both servers included in the DomainDNSZones mdDS-NC-Replica-Locations.
When I attempt to "create default application directory partitions", the system reports that the partitions already exist.
Guess I am just a little parnoid and worried about taking AD down in my "attempts" to clear up an event log entry that doesn't seem to be hurting anything at the current time. I know I need to clear the problem sooner than later, I just want to make sure I don't cause more problems than I am trying to clear up, especially since I am the "new guy" hired to clean things up.
Any other tests, or documentation that I can refer to as I plan to jump off the cliff? |
What would Clark Kent do to someone who stole his identity? |
Edited by - Rastor728 on 04/15/2009 12:27:30 PM |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/15/2009 : 4:39:33 PM
|
> re Step 1: does list both of my only two Domain Controllers in the DC=DomainDnsZOnes,C=MGH
I think you misunderstood me. To open a partition in adsiedit, you:
- right click --> connect to
- select "type DN or NC"
- type: DC=domainDNSZones,DC=XXXX
This will open the DNS partition in the same way you can view the Domain or Configuration partition. When it opens, browse to CN=MicrosoftDNS. Under that, you will see the actual zones it hosts -- if the partition exists! |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Rastor728
Old Timer
USA
736 Posts
Status: offline |
Posted - 04/15/2009 : 5:03:03 PM
|
quote:
Originally posted by wkasdo
> re Step 1: does list both of my only two Domain Controllers in the DC=DomainDnsZOnes,C=MGH
I think you misunderstood me. To open a partition in adsiedit, you:
- right click --> connect to
- select "type DN or NC"
- type: DC=domainDNSZones,DC=XXXX
This will open the DNS partition in the same way you can view the Domain or Configuration partition. When it opens, browse to CN=MicrosoftDNS. Under that, you will see the actual zones it hosts -- if the partition exists!
You only have to hit me three times to sink it in....lol
I did as you said and reports that the Directory Object not found. |
What would Clark Kent do to someone who stole his identity? |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/16/2009 : 02:55:24 AM
|
> You only have to hit me three times to sink it in....lol
Only three times? That's pretty good!
> I did as you said and reports that the Directory Object not found.
Right. So everything points to this being a ghost partition. Next step would be the ntdsutil thing to remove it.
|
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Rastor728
Old Timer
USA
736 Posts
Status: offline |
Posted - 04/16/2009 : 2:29:51 PM
|
TADA!!! Seems to work, I'll know more after my "reboot" this weekend but the error messages have stopped!
If you are ever in Washington State (USA), let me know I'll buy you any libation I can get for you. |
What would Clark Kent do to someone who stole his identity? |
|
|
|
wkasdo
Administrator
Netherlands
7405 Posts
Status: offline |
Posted - 04/16/2009 : 2:49:43 PM
|
 Glad to hear it, thanks for the update!
> If you are ever in Washington State (USA),
I might do that... I work for a company in that area. Take care. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
| |
Topic |
|
NTDS KCC Event 1801
