Steps taken to resolve an issue with corrupted application partitions, specifically, DNS partitions and their CrossRef(erence) objects in the AD Configuration Container

Steps taken to resolve an issue with corrupted application, specifically, DNS partition CrossRef(erence) objects in the AD Configuration Container


Original compilation and blog date: 6/20/2012


 


Preface


This was a pro bono support procedure I performed for a poster in the Microsoft Technet forums. There were numerous problems, from an attempted replica promotion, then unplugged because it wouldn’t replicate, to numerous other errors. The efforts in the forum were difficult because anything we suggested just wouldn’t work, which indicated a deeper problem.


Here’s the original thread for reference. THe original post date 11/29/2011, but a few of us tried to assist for a month or so, until I offered to remote in to repair it. Final completion was approximately 1/16/2012.


Technet Forum Thread: “Issue with windows server 2008 R2 active directory access” Original post 11/29/2011
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/964ca0ff-3264-4f00-bda1-5ed3a3cc2801/


 


Procedure


***********************************************************************


C:\Users\admin>netdom query fsmo
Schema master               dserver2.CRL.lan
Domain naming master        dserver2.CRL.lan
PDC                         dserver2.CRL.lan
RID pool manager            dserver2.CRL.lan
Infrastructure master       dserver2.CRL.lan
The command completed successfully.


***********************************************************************
Dcdiag shows:
      Starting test: MachineAccount         Checking machine account for DC DSERVER2 on DC DSERVER2.
         Warning:  Attribute userAccountControl of DSERVER2 is:         0x82020 = ( PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )         Typical setting for a DC is  


      0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )         This may be affecting replication?         * SPN found :LDAP/dserver2.CRL.lan/CRL.lan
         * SPN found :LDAP/dserver2.CRL.lan
         * SPN found :LDAP/DSERVER2
         * SPN found :LDAP/dserver2.CRL.lan/CRL
         * SPN found :LDAP/b072f201-6e73-4798-93b1-01c0e084cc4d._msdcs.CRL.lan
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/b072f201-6e73-4798-93b1-01c0e084cc4d/CRL.lan
         * SPN found :HOST/dserver2.CRL.lan/CRL.lan
         * SPN found :HOST/dserver2.CRL.lan
         * SPN found :HOST/DSERVER2
         * SPN found :HOST/dserver2.CRL.lan/CRL
         * SPN found :GC/dserver2.CRL.lan/CRL.lan


I changed it to what it should be: 0x82000 by using ADSI Edit:


ADSI Edit shows decimal value for UserAccountControl as 532512 (0x82020)
I changed it to 532480 (0x82000)


Ref:
Incorrect userAccountControl Attribute value causes error when running DCDIAG or during promotion of a server to a DC
http://blogs.dirteam.com/blogs/jorge/archive/2006/08/27/Incorrect-_2600_quot_3B00_userAccountControl_2600_quot_3B00_-Attribute-value-causes-error-when-running-DCDIAG-or-during-


promotion-of-a-server-to-a-DC.aspx



***********************************************************************
Then restarted AD Domain Services service.


Event ID 5706:
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\CRL.lan\SCRIPTS.  The following error occurred:
The system cannot find the file specified.



***********************************************************************


Computer Browser service disabled.


Although not necessary, I enabled in order to view network shares


No harm in keeping it enabled.



***********************************************************************


TO see if any other DCs are in the domain, I ran metadata cleanup, but I found DSERVER2 is the only one, then quit the utility.


C:\Users\admin>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server dserver2
Binding to dserver2 …
Connected to dserver2 using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 – DC=CRL,DC=lan
select operation target: select domain 0
No current site
Domain – DC=CRL,DC=lan
No current server
No current Naming Context
select operation target: lists sites
Error parsing Input – Invalid Syntax.
select operation target: list sites
Found 1 site(s)
0 – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
select operation target: select site 0
Site – CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
Domain – DC=CRL,DC=lan
No current server
No current Naming Context
select operation target: list servers in site
Found 1 server(s)
0 – CN=DSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
select operation target: quit
metadata cleanup: quit
ntdsutil: quit


C:\Users\admin>



***********************************************************************


More on Event ID 5106:


Went to:
Event ID 3051 and 5706 on domain controllers
http://support.microsoft.com/?id=258805


Checked reg entry per article:
These error messages can occur if entries under the following registry key on the domain controller are missing or incorrect:
 KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters


Stopped netlogon service


Reg location shows a value for SYSVOL, and the SYSVOL path exists to c:\windows\sysvol\sysvol
Removed sysvol value
Created:
On the Edit menu, click Add Value, and then add the following registry values:
Value Name: DBFlag
 Data Type: REG_SZ
 Value: 0


Value Name: DBFlag
 Data Type: REG_SZ
 Value: 0


Started Netlogon


Netlogon share still not created.
Folder are missing in SYSVOL.


This could be due to this server is a replica DC and the initial replication never occured.
I manually created the sysvol structure creating the following folders under c:\windows\sysvol\sysvol:
     ClientAgent
     Policies
     Scripts


Restarted AD Domain Services.


Netlogon successfully shared and started.


Missing policies in Policies folder.


Event ID 1058


Default Policies show up in GPMC, but cannot connect or view settings.


***********************************************************************


USed the following to rebuilt SYSVOL missing folders:


How to rebuild the SYSVOL tree and its content in a domain
http://support.microsoft.com/kb/315457 


Note – since this is the only DC in the domain, I used the D4 option to build a new one.
D2 would have been used to pull a copy from another DC.


To configure the SYSVOL replica set to be authoritative, follow these steps: •Click Start, click Run, type regedit, and then click OK.
•Locate and then click the BurFlags entry under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID
GUID is the GUID of the domain system volume replica set that is shown in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID


•Right-click BurFlags, and then click Modify.
•Type D4 in the Value Data field (HexaDecimal), and then click OK.


No good… Ok, next step to recreate the default GPOs…


***********************************************************************
Ran:
dcgpofix /ignoreschema


Didn’t have permissions to run it.
Added myself to the Enterprise Admins and Schema Admins
Logged off, then on again.



Ran the command again. Sysvol policies and everything else is now created.
GPMC now shows both policies and all settings.



***********************************************************************
Symantec Endpoint INstalled!! WHAT???


SEP is a known issue with blocking domain communications.


Please uninstall and reboot and get back to me.



***********************************************************************


Still cannot connect to DomainDnsZones or ForestDnsZones partitions.


Error messages:



—————————
ADSIEdit
—————————
Operation failed. Error code: 0x202b
A referral was returned from the server.
0000202B: RefErr: DSID-031006BB, data 0, 1 access points
 ref 1: ‘DomainDnsZones.CRL.lan’


—————————
OK  
—————————


and


—————————
ADSIEdit
—————————
Operation failed. Error code: 0x202b
A referral was returned from the server.
0000202B: RefErr: DSID-031006BB, data 0, 1 access points
 ref 1: ‘ForestDnsZones.CRL.lan’


—————————
OK  
—————————



***********************************************************************


C:\Users\admin>dnscmd dserver2 /EnlistDirectoryPartition DomainDnsZones.CRL.lan


Enlist directory partition failed: DomainDnsZones.CRL.lan
    status = 9904 (0x000026B0)
Command failed:  DNS_ERROR_DP_ALREADY_ENLISTED     9904



C:\Users\admin>


***********************************************************************


C:\Users\admin>dnscmd dserver2 /EnlistDirectoryPartition ForestDnsZones.CRL.lan


Enlist directory partition failed: ForestDnsZones.CRL.lan
    status = 9904 (0x000026B0)
Command failed:  DNS_ERROR_DP_ALREADY_ENLISTED     9904



C:\Users\admin>



***********************************************************************


C:\Users\admin>dnscmd /Enumdirectorypartitions
Enumerated directory partition list:


        Directory partition count = 2
 DomainDnsZones.CRL.lan                    Enlisted Auto Domain
 ForestDnsZones.CRL.lan                    Enlisted Auto Forest


 


***********************************************************************



The two partitions are obviously corrupt.



***********************************************************************



Using ADSI Edit, I deleted the DomainDNsZones and ForestDnsZones partition:


Reference:


Are Your DNS Application Partitions Corrupt?
http://cbfive.com/blog/post/Are-Your-DNS-Application-Partitions-Corrupt.aspx



Using ADSIEdit.msc
 1.Navigate to the CrossRef object for the application partition on a specific DC (CN=Partitions,CN=Configuration,DC=Domain,DC=Com)
 2.Delete the CrossRef object, essentially skipping to step 7 above.
 3.Force replication, validate that the partition is gone.
 4.Restart DNS, the service will re-add the partition.


Optionally, you can do it this way, too:


Using NTDSUtil:
 1.Open the CMD prompt
 2.NTDSUtil
 3.Domain Management (In 2008 it changes to “partition management”)
 4.Connections => connect to server ERICSDC01
 5.Quit
 6.List              <— to see zones
 7.Delete NC DC=DomainDNSZones,DC=Domain DC=Com (This Deletes the CrossRef Object)
 8.Force replication, validate that the partition is gone.
 9.Restart DNS, the service will re-add the partition.
 .



***********************************************************************


After deleting DomainDnsZones:


C:\Users\admin>dnscmd /Enumdirectorypartitions
Enumerated directory partition list:


        Directory partition count = 2
 DomainDnsZones.CRL.lan                    Enlisted Deleted Auto Domain
 ForestDnsZones.CRL.lan                    Enlisted Auto Forest



Command completed successfully.



***********************************************************************


Recreated DomainDnsZones


Right click DNS Server Name
Configure Default Application Directory Partitions.


Click YES for Domain partition
On Second Prompt, Click NO for Forest partition


 


***********************************************************************



After deleting ForestDnsZones but after recreating DomainDnsZones


C:\Users\admin>dnscmd /Enumdirectorypartitions
Enumerated directory partition list:


        Directory partition count = 2
 DomainDnsZones.CRL.lan                    Enlisted Auto Domain
 ForestDnsZones.CRL.lan                    Enlisted Deleted Auto Forest



Command completed successfully.



***********************************************************************


Recreated ForestDnsZones


Right click DNS Server Name
Configure Default Application Directory Partitions.


Click NO for Domain partition
On Second Prompt, Click YES for Forest partition



***********************************************************************



After recreating ForestDnsZones:


C:\Users\admin>dnscmd /Enumdirectorypartitions
Enumerated directory partition list:


        Directory partition count = 2
 DomainDnsZones.CRL.lan                    Enlisted Auto Domain
 ForestDnsZones.CRL.lan                    Enlisted Auto Forest



Command completed successfully.


***********************************************************************


Symantec Endpoint unistalled and rebooted.



***********************************************************************


Event log errors are now CLEAN!!!!  <nice!>



***********************************************************************


Symantec Endpoint reinstalled. I excluded the whole C:\windows folder and all subfolders. THis will take care of
the NTDS and SYSVOL folders, and anything else it may try to block or quarantine.


***********************************************************************


C:\Users\admin>NTFRSUTL ds dserver2
NTFRS CONFIGURATION IN THE DS
SUBSTITUTE DCINFO FOR DC
   FRS  DomainControllerName: (null)
   Computer Name            : DSERVER2
   Computer DNS Name        : dserver2.CRL.lan


BINDING TO THE DS:
   ldap_connect     : dserver2.CRL.lan
   DsBind     : dserver2.CRL.lan


NAMING CONTEXTS:
   SitesDn    : CN=Sites,cn=configuration,dc=crl,dc=lan
   ServicesDn : CN=Services,cn=configuration,dc=crl,dc=lan
   DefaultNcDn: DC=CRL,DC=lan
   ComputersDn: CN=Computers,DC=CRL,DC=lan
   DomainCtlDn: OU=Domain Controllers,DC=CRL,DC=lan
   Fqdn       : CN=dserver2,OU=Domain Controllers,DC=CRL,DC=lan
   Searching  : Fqdn


COMPUTER: DSERVER2
   DN   : cn=dserver2,ou=domain controllers,dc=crl,dc=lan
   Guid : dcab9611-82fe-4ba3-93ace6f3764c44ea
   UAC  : 0x00082000
   Server BL : CN=DSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
   Settings  : cn=ntds settings,cn=dserver2,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=crl,dc=lan
   DNS Name  : dserver2.CRL.lan
   WhenCreated  : 4/26/2011 11:25:2 Atlantic Standard Time Atlantic Daylight Time [240]
   WhenChanged  : 1/11/2012 16:52:4 Atlantic Standard Time Atlantic Daylight Time [240]


   SUBSCRIPTION: NTFRS SUBSCRIPTIONS
      DN   : cn=ntfrs subscriptions,cn=dserver2,ou=domain controllers,dc=crl,dc=lan
      Guid : 1315f31c-01a0-4d69-a14fe529e4b0cf49
      Working       : c:\windows\ntfrs
      Actual Working: c:\windows\ntfrs
      WhenCreated  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic DaylightTime [240]
      WhenChanged  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic DaylightTime [240]


      SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
         DN   : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn=dserver2,ou=domain controllers,dc=crl,dc=lan
         Guid : d46515fe-51d5-4f79-bec29effd142df73
         Member Ref: CN=DSERVER2,CN=Domain System Volume (SYSVOL share),CN=FileReplication Service,CN=System,DC=CRL,DC=lan
         Root      : c:\windows\sysvol\domain
         Stage     : c:\windows\sysvol\staging\domain
         WhenCreated  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]
         WhenChanged  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]
   Subscriber Member Back Links:
      cn=dserver2,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=crl,dc=lan


SETTINGS: FILE REPLICATION SERVICE
   DN   : cn=file replication service,cn=system,dc=crl,dc=lan
   Guid : 70c455df-5704-4d2a-b11ab0eb36b6e907
   WhenCreated  : 4/3/2004 11:56:54 Atlantic Standard Time Atlantic Daylight Time [240]
   WhenChanged  : 4/26/2011 12:2:46 Atlantic Standard Time Atlantic Daylight Time [240]


   SET: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
      DN   : cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=crl,dc=lan
      Guid : bd486d4a-9726-4419-9589524e9fe04470
      Type          : 2
      Primary Member: (null)
      File Filter   : *.tmp, *.bak, ~*
      Dir  Filter   : (null)
      FRS Flags     : (null)
      WhenCreated  : 4/3/2004 12:4:36 Atlantic Standard Time Atlantic Daylight Time [240]
      WhenChanged  : 4/26/2011 12:3:5 Atlantic Standard Time Atlantic Daylight Time [240]


      MEMBER: DSERVER2
         DN   : cn=dserver2,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=crl,dc=lan
         Guid : 4884a00f-e43c-438b-b420ef689c6448fe
         Server Ref     : CN=NTDS Settings,CN=DSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=CRL,DC=lan
         Computer Ref   : cn=dserver2,ou=domain controllers,dc=crl,dc=lan
         Cracked Domain : CRL.lan
         Cracked Name   : 00000002 CRL\DSERVER2$
         Cracked Domain : CRL.lan
         Cracked Name   : fffffff4 S-1-5-21-1273149174-3599686218-3002231784-1246
         Computer’s DNS : dserver2.CRL.lan
         WhenCreated  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]
         WhenChanged  : 4/26/2011 12:6:53 Atlantic Standard Time Atlantic Daylight Time [240]


C:\Users\admin>


***********************************************************************


Final dcdiag /v errors:


      Starting test: Replications         * Replications Check
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=CRL,DC=lan
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information


(Win2K DC). 
            CN=Configuration,DC=CRL,DC=lan
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information


(Win2K DC). 
            DC=CRL,DC=lan
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information


(Win2K DC). 
         * Replication Site Latency Check
         ……………………. DSERVER2 passed test Replications


I wouldn’t worry about this. DCDIAG is just reporting that you have a retired NTDS object (a DC). No prob there. It shows zero for any latency issues and is only flagging the one retired partner. There are no errors and warnings, so I’m cool with this being fixed.


***********************************************************************



I was now finally able to change the replication scope of _msdcs.crl.lan to ForestDnsZones, and crl.lan to DomainDnsZones, and set Dynamic Updates to Secure only.



***********************************************************************


 


Ace Fekay


Comments, suggestions, corrections, alternative procedure suggestions, etc, are welcomed!