GC Promotion

I needed to remove my DC/GC from the network. Big mistake, but it is now
gone.

Anyway before I did I tried promoting another DC to be a GC. I had to use
the seize, etc.

The original GC is now gone off the network.

The new GC doesn't seem to be taking on it's role.

I can make a change in AD and it does in fact replicate to the other DCs on
the network.

When I try to run netdiag I get an error saying "procedure entry point
dnsgetprimarydomainname_utf8 could not
be located in the dynamic link library dnsapi.dll"

Also, I tried running dcdiag and I get error "Testing Server:
Default-first-site-name\Glenn

StartingTest: Connectivity

[Glenn] DsBindWithSpnEX <> failed with error -2146892976, the system
detected a possible attempt to compromise security. Please ensure that you
can contact the server that authenticated you
glenn failed test connectivity

Doing primary tests

Testing server: Default-first-site-name\Glenn skipping all tests because
server Glenn is not responding to directory service requests

there was also more on the screen but didn't see any error messages in any
of that."

Any suggestions on what to do?

I also had posted these questions on exchange.admin, but didn't know if
they'd be answered there since they now seem to be more about the server
itself rather than just exchange (although exchange won't work because of
this situation)

Glenn wrote:
> I needed to remove my DC/GC from the network. Big mistake, but it is
> now gone.
>
> Anyway before I did I tried promoting another DC to be a GC. I had
> to use the seize, etc.

A Global Catalog is not an FSMO role and they are not seized. You can have
as many Global Catalogs as you want, as long as you have at least one in
your forest.

Did the DC removed hold any of the FSMO roles and did you transfer them?
Did you use DCpromo to demote the removed DC? If you did, it would have
attempted to transfer the FSMO roles, and the DCPromo would have failed if
it didn't.

IF you did not DCPromo the old DC out of the network, follow the KB below.

Make sure the Domain Controller is using only the DNS server that has the
zone for the AD domain/forest.

255504 - Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
Controller: http://support.microsoft.com/default...b;en-us;255504

216498 - HOW TO Remove Data in Active Directory After an Unsuccessful Domain
Controller Demotion:
http://support.microsoft.com/default...b;EN-US;216498

255690 - HOW TO View and Transfer FSMO Roles in the Graphical User
Interface: http://support.microsoft.com/default...b;en-us;255690

313994 - How To Create or Move a Global Catalog in Windows 2000:
http://support.microsoft.com/default...roduct=win2000



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

i've followed all of those steps, but still get the same error about the
possible attempt to compromise security when I run dcdiag...even on the
domain naming master itself....at least I think it is the domain naming
master
"Kevin D. Goodknecht Sr. [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Glenn wrote:
> > I needed to remove my DC/GC from the network. Big mistake, but it is
> > now gone.
> >
> > Anyway before I did I tried promoting another DC to be a GC. I had
> > to use the seize, etc.
>
> A Global Catalog is not an FSMO role and they are not seized. You can have
> as many Global Catalogs as you want, as long as you have at least one in
> your forest.
>
> Did the DC removed hold any of the FSMO roles and did you transfer them?
> Did you use DCpromo to demote the removed DC? If you did, it would have
> attempted to transfer the FSMO roles, and the DCPromo would have failed
if
> it didn't.
>
> IF you did not DCPromo the old DC out of the network, follow the KB below.
>
> Make sure the Domain Controller is using only the DNS server that has the
> zone for the AD domain/forest.
>
> 255504 - Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
> Controller: http://support.microsoft.com/default...b;en-us;255504
>
> 216498 - HOW TO Remove Data in Active Directory After an Unsuccessful
Domain
> Controller Demotion:
> http://support.microsoft.com/default...b;EN-US;216498
>
> 255690 - HOW TO View and Transfer FSMO Roles in the Graphical User
> Interface: http://support.microsoft.com/default...b;en-us;255690
>
> 313994 - How To Create or Move a Global Catalog in Windows 2000:
>
http://support.microsoft.com/default...roduct=win2000
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>

Glenn wrote:
> i've followed all of those steps, but still get the same error about
> the possible attempt to compromise security when I run dcdiag...even
> on the domain naming master itself....at least I think it is the
> domain naming master

Please post an unedited ipconfig /all and the Name of your AD domain from
ADU&C.

Make sure the Netdiag and Dcdiag tools are the correct version for the OS,
and that the remote registry service is running.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

In news:(E-Mail Removed),
Glenn <(E-Mail Removed)> stated, which I commented on below:
> i've followed all of those steps, but still get the same error about
> the possible attempt to compromise security when I run dcdiag...even
> on the domain naming master itself....at least I think it is the
> domain naming master

Did you follow the specific steps in 216498 (that Kevin posted) in regards
to running a Metadata Cleanup to remove the references for the missing
domain controllers? Were they also deleted in Sites and Services, as well as
out of the Domain Controllers OU?

To make a DC a GC, go into Sites and Services, click on Sitename, then
Servers, then servername, then rt-click on the NTDS object, choose
properties. There's a checkbox to make it a GC if you desire.

To find out which server holds which FSMO roles, use 255690, which Kevin
posted the link for.

In addition to the info that Kevin requested, post any Event log errors on
any of the DCs. The Event ID# and Source would be helpful.


--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...