Symptom 1You experience Exchange Server errors after you lose the operations master (also known as flexible single master operations, or FSMO) role owner and global catalog. In this situation, you seize all the operations master roles except for the Domain Naming Master, and then you receive the following response:
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x35(53 (Unwilling To Perform).
Ldap extended error message is 0000214B: SvcErr: DSID-032107C5, problem 5003
LL_NOT_PERFORM), data 0
Note Only DSAs that are configured as global catalog servers should be able to hold the domain naming master operations master role.
Then, you view the removing nonexistent child domains. However, this triggers the following error:
metadata cleanup: select operation target
select operation target: list domains
Found 3 domain(s)
0 - DC=domainComponent,DC=com
1 - DC=domainComponent,DC=domainComponent,DC=com
2 - DC=domainComponent,DC=domainComponent,DC=com
select operation target: select domain 2
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainComponent,DC=com
Domain - DC=domainComponent,DC=domainComponent,DC=com
No current server
No current Naming Context
select operation target: q
metadata cleanup: remove selected domain
DsRemoveDsDomainW error 0x20ab(The cross reference for the specified naming cont
ext could not be found.)
You cannot change global catalog occupancy requirements and advertisement time, but the global catalog will not be installed on a member server.
Symptom 2You configure a Windows 2000-based server or a Windows Server 2003 domain controller as a global catalog server by selecting the check box for the CN=NTDS Setting object. However, the domain controller cannot advertise itself as a global catalog, and the following events are logged every 30 minutes:
Note To become a global catalog server, the server must host a read-only copy of all partitions in the enterprise. This server should hold a copy of the DC=child, DC=root, DC=com partition. However, it does not. Therefore, the domain controller is not installed to a global catalog server until this condition is met.
This issue may occur if the Knowledge Consistency Checker (KCC) is not running or if it cannot add a replica of the partition because all its sources are down. In this situation, the following event for KCC errors is logged:
Note The KCC will retry adding the replica.
A parameter is used to control how strictly the directory enforces the partition occupancy requirement. The parameter is located under the following registry subkey:
- Level 0: No occupancy requirement
- Level 1: At least one read-only partition in site added by the KCC
- Level 2: At least one partition in site synchronized fully
- Level 3: All read-only partitions in site added by the KCC (at least one synchronized)
- Level 4: All partitions in site synchronized fully
If you want to install the global catalog immediately without enforcing this precondition, set the registry entry to a DWORD value of 0 in the following registry subkey:
An event that resembles the following is logged every 15 minutes:
Note The error description may vary. The 1265 event may be recorded, and KCC may be unable to build a replication link. The operation may also fail with a status that resembles one or more of the following:
- The DSA operation is unable to proceed because of a DNS lookup failure. We should resolve DNS problem.
- The RPC server is unavailable. Normally indicates a network connectivity issue. Check if target DC is offline or if network port is blocked.
- The target principal name is incorrect. Check the secure channel between the source and target domain controllers.
The following registry subkey defines the directory partition occupancy requirement level:
Additionally, in the domain controller diagnostic log, this domain controller does not pass the Advertising test, and claiming that it does not advertise itself as a global catalog server. To run a domain controller diagnostic check, type the following command at a command prompt, and then press Enter:
Symptom 3Consider the following scenario:
- You have two domain controllers: a parent domain controller and a domain controller in a child domain.
- The domain controllers crash so that you have to rebuild them.
- You take the child domain offline.
----- DCDIAG ----
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org
Role Domain Owner = CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org
Warning: CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org is the Domain Owner, but is deleted.
Role PDC Owner = CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org
Role Rid Owner = CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org
Role Infrastructure Update Owner = CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org
......................... HBP failed test KnowsOfRoleHolders
Symptom 4Domain controllers do not advertise themselves as global catalogs. A connection on port 3268 is not possible.
In Event Viewer, you see the following events:
This directory server has not received replication information from several directory servers recently. The count of directory servers is shown and divided into the following intervals:
More than a week: 2
More than one month: 2
More than two months: 2
More than a tombstone lifetime: 2
Tombstone lifetime (days): 180
When you try to connect over ldp.exe to the domain controllers, you receive the following error message:
The following event is logged:
As a precondition to becoming a global catalog, a domain controller must host a read-only replica of all directory partitions in the forest. This event might have occurred if a Knowledge Consistency Checker (KCC) task was not completed or if the domain controller cannot add a replica of the directory partition because of unavailable source domain controllers.
An attempt to add the replica will occur again at the next KCC interval.
Cause of Symptom 1Global catalogs host a read-only copy of objects from each domain partition in the forest. When a computer is selected to host the global catalog, the KCC on the computer that's being promoted uses its discretion to build connection objects from source domain controllers. The source domain controllers may consist of existing global catalogs in the forest or of domain controllers that host writable copies of every domain partition that resides in the forest. Domain partitions (all objects and a subset of attributes) are then incoming replicated from source domain controllers that are designated by the KCC to the new global catalog server over those connection links.
This issue may occur if one or more of the following conditions are true:
- The configuration partition of the global catalog is installed, and other domain controllers in the forest contain a cross-reference object for a domain. However, no domain controllers for that domain exist in the forest.
- Metadata for a source domain controller that's designated by the KCC exists in the forest but does not represent a domain controller that currently resides in the forest.
- The source domain controller that's selected by the KCC on the global catalog that's being installed is offline or powered off.
- The source domain controller that's selected by the KCC on the global catalog that's being installed is inaccessible over the network because of a lack of network connectivity (such as link down or port blockage).
- Source domain global catalogs are constrained from acting as bridgeheads because a non-global catalog domain controller is incorrectly selected as a preferred bridgehead by an administrator.
- The global catalog that's being installed cannot build a connection link from the selected source domain controller because of an error status in the event log.
- The source domain controller cannot incoming-replicate over the connection link from a selected source domain controller because of an error status in the event log.
- Active Directory are removed from all the domain controllers, but the domain partition cross-reference object still exists.
- A directory partition is removed from a domain, but the directory partition is re-created before replication is complete. This causes lingering phantoms that are then referred to by a cross-reference object.
- The domain-naming update for the domain may not have reached the domain controller that is experiencing the problem. Or, the domain-naming update for a domain that is newly promoted may not have reached any domain controllers outside the domain. This is a temporary problem.
Cause of Symptom 4This issue occurs because a subdomain is not removed correctly from AD DS. The domain controllers cannot replicate with this subdomain and cannot obtain a ready-only replica of the domain partition. Therefore, they do not advertise themselves as global catalogs.
Workaround for Symptom 1To work around the issue, look up the FSMOROLEOWNER attributes for "CN=partitions, CN=Configuration,CN=domain,CN=" under ADSIedit.msc.
The attribute points to the following old domain naming master:
Workaround for Symptom 2Warning The registry suggestion in event 1578 warns that you should not enable a reduced occupancy level to artificially speed up global catalog promotion. We recommend that you resolve the Directory Service replication issue so that the global catalog is advertised automatically. To resolve this problem, first determine whether you're experiencing a replication delay, or whether there's actually an orphaned domain in the forest environment.
If there is an orphaned domain, NTDS KCC event 1265 logged in the directory service log. Use this event to determine the cause of the replication failure for the same domain partition. Make sure that network connectivity is good and that there are no network ports blocked, such as TCP 135. Check the DNS records, and make sure that the registered Host and SRV records are all good and clean. If there are garbage records, clear them out.
After replication between domain controllers is verified to be working correctly, and you've verified that there really is an orphaned domain, use the Ntdsutil.exe utility to clear the orphaned domain object. If there is any orphaned domain controller object for that domain, you can also delete the domain controller object. To delete an orphaned domain in AD DS, see How to remove orphaned domains from Active Directory.
If an orphaned domain controller object still exists in the orphaned domain, delete the domain controller object first. For more information, see How to remove data in Active Directory after an unsuccessful domain controller demotion.
Workaround for Symptom 3To work around this issue, start in direct server return (DSR) mode, and then execute the semantic database analysis fix. After the fix is finished running, it reports the following error:
If you restart in a standard mode, you still cannot delete the object until you change value for the nCName attribute to its parent domain. Then, the domain controller advertises itself as a global catalog server and as an Exchange server.
Workaround for Symptom 4To work around this issue, see the How to clean up server metadata by using Active Directory Users and Computers.
To confirm that the domain naming master is a global catalog server, follow these steps:
- At a command prompt, type nltest /dsgetdc: Domain_name /server: Server_Name, and then press Enter.
- Verify that the server is advertising the GC flag.
Address: \\IP Address
Dom Name: Domain_name
Forest Name: Domain_name.com
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE
The command completed successfully
- You cannot promote a Windows 2000-based domain controller to a global catalog server
- You cannot promote a Windows Server 2003-based domain controller to be a global catalog server
- Cannot promote new global catalog when conflict naming contexts exist
- How to remove orphaned domains from Active Directory
- Removing non-existent domain with Ntdsutil.exe generates "DsRemoveDsDomainW Error" error message
- "Dsremovedsdomainw error with code 0x2077" error message when you remove an orphaned domain by using NTDSUTIL
- How to remove orphaned domains from Active Directory
Article ID: 3063705 - Last Review: Jun 24, 2015 - Revision: 1