Cannot Promote New Global Catalog When Conflict Naming Contexts Exist

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
If a directory partition is removed (the last domain controller for that context is demoted to a member server), and is then re-created before replication is completed, lingering phantoms may be incorrectly referred to by a crossRef object. This condition can cause replication errors, and may prevent you from promoting a new global catalog. See the "More Information" section in this article for definitions of terms and sample Directory Services event log entries.

Note that the Windows 2000 Service Pack 3 hotfixes that are listed in the "References" section of this article do not permit the Ntdsutil.exe tool to fix this problem.

The update that this article describes is a preventative fix; the fix is intended only to prevent the problem from occurring. For additional information about how to correct this problem if it has already occurred, click the following article number to view the article in the Microsoft Knowledge Base:
814202 The Ntdsutil Semantic Checker Cannot Rename Conflict-Mangled Phantom Names
CAUSE
Inbound replication of a new crossRef object is delayed when the nCName value matches an existing object. However, if the nCName value matches an existing phantom, the value may be attached to an old naming context. When later references to the correct (new) naming context are replicated in, the existing name is "mangled" to reflect that it is in conflict.
RESOLUTION
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version        Size     File name   --------------------------------------------------------   16-Feb-2003  14:30  5.0.2195.6613  124,176  Adsldp.dll     16-Feb-2003  14:30  5.0.2195.6601  130,832  Adsldpc.dll    26-Feb-2003  09:40  5.0.2195.6667   62,736  Adsmsext.dll   26-Feb-2003  09:40  5.0.2195.6672  378,640  Advapi32.dll   16-Feb-2003  14:30  5.0.2195.6611   49,936  Browser.dll    16-Feb-2003  14:30  5.0.2195.6663  135,952  Dnsapi.dll     16-Feb-2003  14:30  5.0.2195.6663   96,528  Dnsrslvr.dll   16-Feb-2003  14:30  5.0.2195.6661   46,352  Eventlog.dll   16-Feb-2003  14:30  5.0.2195.6627  148,240  Kdcsvc.dll     20-Feb-2003  14:11  5.0.2195.6666  204,560  Kerberos.dll   02-Dec-2002  17:09  5.0.2195.6621   71,888  Ksecdd.sys   24-Jan-2003  12:40  5.0.2195.6659  509,712  Lsasrv.dll     24-Jan-2003  12:41  5.0.2195.6659   33,552  Lsass.exe      05-Feb-2003  06:59  5.0.2195.6662  109,328  Msv1_0.dll     16-Feb-2003  14:30  5.0.2195.6601  312,592  Netapi32.dll   16-Feb-2003  14:30  5.0.2195.6627  360,720  Netlogon.dll   26-Feb-2003  09:40  5.0.2195.6672  929,552  Ntdsa.dll      26-Feb-2003  09:40  5.0.2195.6666  392,464  Samsrv.dll     26-Feb-2003  09:40  5.0.2195.6672  131,344  Scecli.dll     26-Feb-2003  09:40  5.0.2195.6671  306,448  Scesrv.dll     16-Feb-2003  14:30  5.0.2195.6601   51,472  W32time.dll    16-Aug-2002  03:32  5.0.2195.6601   57,104  W32tm.exe      26-Feb-2003  09:40  5.0.2195.6666  125,200  Wldap32.dll 
Note this update is required on only the computer that holds the domain naming master role.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product

Definitions

Phantom

This is an object that has been deleted, and whose tombstone lifetime has passed. However, references to the object are still present in the directory database.Phantom objects are special kinds of internal database tracking objects that you cannot view through any LDAP or Active Directory Service Interface (ADSI) tool.

CrossRef

These are objects of the crossRef class that identify the existance and location of all directory partitions, and permit domain controllers to be aware of forest-wide directory partitions. These objects are stored in the Configuration container, and are replicated to every domain controller in the forest. Each crossRef object has a "nCName" (naming context, or directory partition) attribute. These must be unique.

Error Message That You Receive When You Try to Promote a New Global Catalog

Event Type: Informational
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1559
Date: mm/dd/yyyy
Time: hh:mm:ss AM/PM
User: Everyone
Computer: DC_NAME

A request has been made to promote this DSA to a Global Catalog (GC). Aprecondition to becoming a GC is that this server host a read-only copy of allpartitions in the enterprise. This server should hold a copy of partitionDC="domainCNF:old_domain_GUID",DC=com but it does not. This system will notbe promoted to a GC until this condition is met.

This may be because the KCC has not run, or that it is unable to add a replicaof the partition because all of its sources are down. Please check the eventlog for KCC errors.

The KCC will retry adding the replica.

Replication Error Messages

Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1645
Date: mm/dd/yyyy
Time: hh:mm:ss AM/PM
User: Everyone
Computer: DC_NAME
Description:
The Directory Service received a failure while trying to perform anauthenticated RPC call to another Domain Controller. The failure is that thedesired Service Principal Name (SPN) is not registered on the target server.The server being contacted is GUID._msdcs.domain.comThe SPN being used isGUID/GUID/domainCNF:old_domain_GUID.com@domainCNF:old_domain_GUID.com

Please verify that the names of the target server and domain are correct.Please also verify that the SPN is registered on the computer account object forthe target server on the KDC servicing the request. If the target server hasbeen recently promoted, it will be necessary for knowledge of this computer'sidentity to replicate to the KDC before this computer can be authenticated.

Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1265
Date: mm/dd/yyyy
Time: hh:mm:ss AM/PM
User: Everyone
Computer: DC_NAME
Description:
The attempt to establish a replication link with parametersPartition: CN=Configuration,DC=domain,DC=comSource DSA DN: CN=NTDS Settings,CN=DC_NAME,CN=Servers,CN=Sites,CN=Configuration,DC=domain,DC=domSource DSA Address: GUID._msdcs.domain.comInter-site Transport (if any):

failed with the following status:The DSA operation is unable to proceed because of a DNS lookup failure.The record data is the status code. This operation will be retried.

Data:
0000: 4c 21 00 00 L!..
This is 8524 decimal (ERROR_DS_DNS_LOOKUP_FAILURE)
REFERENCES
For additional information about related items, click the following article numbers to view the articles in the Microsoft Knowledge Base:
258310 Viewing Deleted Objects in Active Directory
248047 Phantoms, Tombstones and the Infrastructure Master
For additional information about related hotfixes, click the following article numbers to view the articles in the Microsoft Knowledge Base:
281485 Name Collision in Active Directory Causes Replication Errors
319622 Ntdsutil.exe Semantic Checker "Can't Fix Mangled NC" Error Message in Windows 2000
Properties

Article ID: 810089 - Last Review: 02/27/2014 18:42:52 - Revision: 1.5

  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Service Pack 3
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP1
  • kbnosurvey kbarchive kbautohotfix kbhotfixserver kbqfe kbbug kbfix kbwin2000presp4fix kbqfe KB810089
Feedback