Second domain controller refusing to complete promotion correctly.

Frustrating problem.

Brand new SBS 2003 Prem with SP1 installed from scratch.

Try to add another domain controller using DCpromo, and it adds itself
seemingly perfectly. But as soon as the new DC is re-booted to complete the
install, the following events occur in the logs

I am tearing my hair out!!! I've googled these errors, and tried various
ways around it, but really, it should be this hard to add another domain
controller should it??

SBS machine (pseudo-PDC)
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 1411
Active Directory failed to construct a mutual authentication
service principal name (SPN) for the following domain controller. Domain
controller: 420ecc78-5143-4619-a6e6-0aecc3c46e5e._msdcs.ivvaust.local. The
call was denied. Communication with this domain controller might be
affected. Additional Data Error value: 8589 The DS cannot derive a service
principal name (SPN) with which to mutually authenticate the target server
because the corresponding server object in the local DS database has no
serverReference attribute.


Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Description:
Logon Failure:
Reason: An error occurred during logon
User Name: <The servers name>$
Domain: <Out domain name>
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC00002EE
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -


Additional DC
Application event log

Source Userenv
EventID 1097
Windows cannot find the computer account. The local security
authority cannot be contacted

Source Userenv
EventID 1030
Windows cannot query for the list of group policy objects. Check
the event log for possible messages previously logged by the policy engine
that describes the reason for this.

Source Autoenrollment
EventID 13
Automatic Certificate enrollment for local system failed to
enroll for one Domain Controller certificate (0x800706ba.) The RPC server is
unavailable

System event log
Source DCOM
eventID 10009
DCOM was unable to communicate with the computer <domain
controller's name here.. using any of the configured protocols

>From what I believe its down to SBS, the shortfall is that you can
only have 1 domain controller on the network. Which is why it is aimed
at Small Business' rather than a larger organisation.

You can have more than one DC, but you can have only one SBS and SBS must be
the PDC emulator. In an SBS System a second DC is not as beneficial as in
a regular System because it cannot takover the Domain if SBS goes down
totally and has to be rebuilt,...the SBS will not join itself back to the
Domain on the rebuild and will insist on creating a new empty domain. I
think someone has a website with information about some kind of workaround
but I have no details on it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------



"Dave P" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> >From what I believe its down to SBS, the shortfall is that you can
> only have 1 domain controller on the network. Which is why it is aimed
> at Small Business' rather than a larger organisation.
>

Hi Casey,

How about using the servername/connectcomputer to join that member DC?

--
Regards,

Marina Roos
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
Take part in SBS forum:
http://www.smallbizserver.net/Default.aspx?tabid=53

"Casey" <(E-Mail Removed)> schreef in bericht
news:42c4e0ce$(E-Mail Removed)...
> Frustrating problem.
>
> Brand new SBS 2003 Prem with SP1 installed from scratch.
>
> Try to add another domain controller using DCpromo, and it adds itself
> seemingly perfectly. But as soon as the new DC is re-booted to complete
the
> install, the following events occur in the logs
>
> I am tearing my hair out!!! I've googled these errors, and tried various
> ways around it, but really, it should be this hard to add another domain
> controller should it??
>
> SBS machine (pseudo-PDC)
> Event Source: NTDS Replication
> Event Category: DS RPC Client
> Event ID: 1411
> Active Directory failed to construct a mutual authentication
> service principal name (SPN) for the following domain controller. Domain
> controller: 420ecc78-5143-4619-a6e6-0aecc3c46e5e._msdcs.ivvaust.local. The
> call was denied. Communication with this domain controller might be
> affected. Additional Data Error value: 8589 The DS cannot derive a service
> principal name (SPN) with which to mutually authenticate the target server
> because the corresponding server object in the local DS database has no
> serverReference attribute.
>
>
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 537
> Description:
> Logon Failure:
> Reason: An error occurred during logon
> User Name: <The servers name>$
> Domain: <Out domain name>
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name: -
> Status code: 0xC00002EE
> Substatus code: 0x0
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
> Additional DC
> Application event log
>
> Source Userenv
> EventID 1097
> Windows cannot find the computer account. The local security
> authority cannot be contacted
>
> Source Userenv
> EventID 1030
> Windows cannot query for the list of group policy objects.
Check
> the event log for possible messages previously logged by the policy engine
> that describes the reason for this.
>
> Source Autoenrollment
> EventID 13
> Automatic Certificate enrollment for local system failed to
> enroll for one Domain Controller certificate (0x800706ba.) The RPC server
is
> unavailable
>
> System event log
> Source DCOM
> eventID 10009
> DCOM was unable to communicate with the computer <domain
> controller's name here.. using any of the configured protocols
>
>
>

you may be interested in this article which details the steps necessary to
reintroduce SBS into your existing domain, should you stuff up SBS so much
that you are unable to recover it from your backups.

How to install Small Business Server 2003 in an existing Active Directory
domain
http://support.microsoft.com/?id=884453

It has always been possible to add SBS 2000 or SBS2003 to an existing AD.

"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> You can have more than one DC, but you can have only one SBS and SBS must
> be
> the PDC emulator. In an SBS System a second DC is not as beneficial as
> in
> a regular System because it cannot takover the Domain if SBS goes down
> totally and has to be rebuilt,...the SBS will not join itself back to the
> Domain on the rebuild and will insist on creating a new empty domain. I
> think someone has a website with information about some kind of workaround
> but I have no details on it.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
> "Dave P" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
>> >From what I believe its down to SBS, the shortfall is that you can
>> only have 1 domain controller on the network. Which is why it is aimed
>> at Small Business' rather than a larger organisation.
>>
>
>

Casey,

I think the clue lies in the second DC event log. It says that it can't find
computer account. Try making the machine a member server of the SBS domain
before running DCPromo. It looks like you have not done this.

Other things include making sure that the second DC is has its DNS set up
correctly to point at the SBS box (use static entries, not DHCP). I find
that is the biggest cause of reasons why you can't DCPromo properly. Proper
DNS resolution against the AD is crucial to properly DCPromo-ing. If you use
an alternative DNS server you will have trouble if it doesn't understand the
extra records that AD requires.


"Casey" <(E-Mail Removed)> wrote in message
news:42c4e0ce$(E-Mail Removed)...
> Frustrating problem.
>
> Brand new SBS 2003 Prem with SP1 installed from scratch.
>
> Try to add another domain controller using DCpromo, and it adds itself
> seemingly perfectly. But as soon as the new DC is re-booted to complete
> the
> install, the following events occur in the logs
>
> I am tearing my hair out!!! I've googled these errors, and tried various
> ways around it, but really, it should be this hard to add another domain
> controller should it??
>
> SBS machine (pseudo-PDC)
> Event Source: NTDS Replication
> Event Category: DS RPC Client
> Event ID: 1411
> Active Directory failed to construct a mutual authentication
> service principal name (SPN) for the following domain controller. Domain
> controller: 420ecc78-5143-4619-a6e6-0aecc3c46e5e._msdcs.ivvaust.local. The
> call was denied. Communication with this domain controller might be
> affected. Additional Data Error value: 8589 The DS cannot derive a service
> principal name (SPN) with which to mutually authenticate the target server
> because the corresponding server object in the local DS database has no
> serverReference attribute.
>
>
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 537
> Description:
> Logon Failure:
> Reason: An error occurred during logon
> User Name: <The servers name>$
> Domain: <Out domain name>
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name: -
> Status code: 0xC00002EE
> Substatus code: 0x0
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
> Additional DC
> Application event log
>
> Source Userenv
> EventID 1097
> Windows cannot find the computer account. The local security
> authority cannot be contacted
>
> Source Userenv
> EventID 1030
> Windows cannot query for the list of group policy objects.
> Check the event log for possible messages previously logged by the policy
> engine that describes the reason for this.
>
> Source Autoenrollment
> EventID 13
> Automatic Certificate enrollment for local system failed to
> enroll for one Domain Controller certificate (0x800706ba.) The RPC server
> is unavailable
>
> System event log
> Source DCOM
> eventID 10009
> DCOM was unable to communicate with the computer <domain
> controller's name here.. using any of the configured protocols
>
>
>

mmm... thankyou!

The second DC is just so we have a quicker logon path in a remote office.
(The DC's are all still in the same site though... I realise that SBS
doesn't allow other sites! :-) )

The second DC will provice local DNS and DHCP so we don't have to use a
couple of shitty routers we have in place right now... (they're shockers)

"SuperGumby [SBS MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> you may be interested in this article which details the steps necessary to
> reintroduce SBS into your existing domain, should you stuff up SBS so much
> that you are unable to recover it from your backups.
>
> How to install Small Business Server 2003 in an existing Active Directory
> domain
> http://support.microsoft.com/?id=884453
>
> It has always been possible to add SBS 2000 or SBS2003 to an existing AD.
>
> "Phillip Windell" <@.> wrote in message
> news:%(E-Mail Removed)...
>> You can have more than one DC, but you can have only one SBS and SBS must
>> be
>> the PDC emulator. In an SBS System a second DC is not as beneficial as
>> in
>> a regular System because it cannot takover the Domain if SBS goes down
>> totally and has to be rebuilt,...the SBS will not join itself back to the
>> Domain on the rebuild and will insist on creating a new empty domain. I
>> think someone has a website with information about some kind of
>> workaround
>> but I have no details on it.
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule Processing
>> http://www.isaserver.org/articles/IS...cessRules.html
>>
>> Microsoft Internet Security & Acceleration Server: Guidance
>> http://www.microsoft.com/isaserver/t...dance/2004.asp
>> http://www.microsoft.com/isaserver/t...dance/2000.asp
>>
>> Microsoft Internet Security & Acceleration Server: Partners
>> http://www.microsoft.com/isaserver/partners/default.asp
>> -----------------------------------------------------
>>
>>
>>
>> "Dave P" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) oups.com...
>>> >From what I believe its down to SBS, the shortfall is that you can
>>> only have 1 domain controller on the network. Which is why it is aimed
>>> at Small Business' rather than a larger organisation.
>>>
>>
>>
>
>

I tried that....

actually connecting the machine is fine... its only when it re-boots that it
has issues...

I found an MS article that refers to the exact messages I'm getting, but the
only time they ever see it is when the main DC has not finished booting and
Netlogon is not started yet, causing the authentication error. This is most
certainly not the case

"Marina Roos [SBS-MVP]" <(E-Mail Removed)> wrote in message
news:%23F8g$(E-Mail Removed)...
> Hi Casey,
>
> How about using the servername/connectcomputer to join that member DC?
>
> --
> Regards,
>
> Marina Roos
> Microsoft SBS-MVP
> One of the Magical M&M's
> www.smallbizserver.net
> Take part in SBS forum:
> http://www.smallbizserver.net/Default.aspx?tabid=53
>
> "Casey" <(E-Mail Removed)> schreef in bericht
> news:42c4e0ce$(E-Mail Removed)...
>> Frustrating problem.
>>
>> Brand new SBS 2003 Prem with SP1 installed from scratch.
>>
>> Try to add another domain controller using DCpromo, and it adds itself
>> seemingly perfectly. But as soon as the new DC is re-booted to complete
> the
>> install, the following events occur in the logs
>>
>> I am tearing my hair out!!! I've googled these errors, and tried various
>> ways around it, but really, it should be this hard to add another domain
>> controller should it??
>>
>> SBS machine (pseudo-PDC)
>> Event Source: NTDS Replication
>> Event Category: DS RPC Client
>> Event ID: 1411
>> Active Directory failed to construct a mutual authentication
>> service principal name (SPN) for the following domain controller. Domain
>> controller: 420ecc78-5143-4619-a6e6-0aecc3c46e5e._msdcs.ivvaust.local.
>> The
>> call was denied. Communication with this domain controller might be
>> affected. Additional Data Error value: 8589 The DS cannot derive a
>> service
>> principal name (SPN) with which to mutually authenticate the target
>> server
>> because the corresponding server object in the local DS database has no
>> serverReference attribute.
>>
>>
>> Event Source: Security
>> Event Category: Logon/Logoff
>> Event ID: 537
>> Description:
>> Logon Failure:
>> Reason: An error occurred during logon
>> User Name: <The servers name>$
>> Domain: <Out domain name>
>> Logon Type: 3
>> Logon Process: Kerberos
>> Authentication Package: Kerberos
>> Workstation Name: -
>> Status code: 0xC00002EE
>> Substatus code: 0x0
>> Caller User Name: -
>> Caller Domain: -
>> Caller Logon ID: -
>> Caller Process ID: -
>> Transited Services: -
>> Source Network Address: -
>> Source Port: -
>>
>>
>> Additional DC
>> Application event log
>>
>> Source Userenv
>> EventID 1097
>> Windows cannot find the computer account. The local security
>> authority cannot be contacted
>>
>> Source Userenv
>> EventID 1030
>> Windows cannot query for the list of group policy objects.
> Check
>> the event log for possible messages previously logged by the policy
>> engine
>> that describes the reason for this.
>>
>> Source Autoenrollment
>> EventID 13
>> Automatic Certificate enrollment for local system failed to
>> enroll for one Domain Controller certificate (0x800706ba.) The RPC server
> is
>> unavailable
>>
>> System event log
>> Source DCOM
>> eventID 10009
>> DCOM was unable to communicate with the computer <domain
>> controller's name here.. using any of the configured protocols
>>
>>
>>
>
>

replies below

"Karl Middleton" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Casey,
>
> I think the clue lies in the second DC event log. It says that it can't
> find computer account. Try making the machine a member server of the SBS
> domain before running DCPromo. It looks like you have not done this.

Yes, this is what I did. The machine was made a member server first... and
this worked perfectly! No error with the computer account at all. it was
only when promoted to a DC, that the issue started. which is what is so
frustrating!

>
> Other things include making sure that the second DC is has its DNS set up
> correctly to point at the SBS box (use static entries, not DHCP). I find
> that is the biggest cause of reasons why you can't DCPromo properly.
> Proper DNS resolution against the AD is crucial to properly DCPromo-ing.
> If you use an alternative DNS server you will have trouble if it doesn't
> understand the extra records that AD requires.

mmm ok. I have it set up on DHCP at the moment, but it is definately using
the SBS box as its only DNS server.

I'll try setting it to static, and see how that goes... but I'm not too
hopeful unfortunately!!

>
>
> "Casey" <(E-Mail Removed)> wrote in message
> news:42c4e0ce$(E-Mail Removed)...
>> Frustrating problem.
>>
>> Brand new SBS 2003 Prem with SP1 installed from scratch.
>>
>> Try to add another domain controller using DCpromo, and it adds itself
>> seemingly perfectly. But as soon as the new DC is re-booted to complete
>> the
>> install, the following events occur in the logs
>>
>> I am tearing my hair out!!! I've googled these errors, and tried various
>> ways around it, but really, it should be this hard to add another domain
>> controller should it??
>>
>> SBS machine (pseudo-PDC)
>> Event Source: NTDS Replication
>> Event Category: DS RPC Client
>> Event ID: 1411
>> Active Directory failed to construct a mutual authentication
>> service principal name (SPN) for the following domain controller. Domain
>> controller: 420ecc78-5143-4619-a6e6-0aecc3c46e5e._msdcs.ivvaust.local.
>> The call was denied. Communication with this domain controller might be
>> affected. Additional Data Error value: 8589 The DS cannot derive a
>> service principal name (SPN) with which to mutually authenticate the
>> target server because the corresponding server object in the local DS
>> database has no serverReference attribute.
>>
>>
>> Event Source: Security
>> Event Category: Logon/Logoff
>> Event ID: 537
>> Description:
>> Logon Failure:
>> Reason: An error occurred during logon
>> User Name: <The servers name>$
>> Domain: <Out domain name>
>> Logon Type: 3
>> Logon Process: Kerberos
>> Authentication Package: Kerberos
>> Workstation Name: -
>> Status code: 0xC00002EE
>> Substatus code: 0x0
>> Caller User Name: -
>> Caller Domain: -
>> Caller Logon ID: -
>> Caller Process ID: -
>> Transited Services: -
>> Source Network Address: -
>> Source Port: -
>>
>>
>> Additional DC
>> Application event log
>>
>> Source Userenv
>> EventID 1097
>> Windows cannot find the computer account. The local security
>> authority cannot be contacted
>>
>> Source Userenv
>> EventID 1030
>> Windows cannot query for the list of group policy objects.
>> Check the event log for possible messages previously logged by the policy
>> engine that describes the reason for this.
>>
>> Source Autoenrollment
>> EventID 13
>> Automatic Certificate enrollment for local system failed to
>> enroll for one Domain Controller certificate (0x800706ba.) The RPC server
>> is unavailable
>>
>> System event log
>> Source DCOM
>> eventID 10009
>> DCOM was unable to communicate with the computer <domain
>> controller's name here.. using any of the configured protocols
>>
>>
>>
>
>