Microsoft KB Archive/810089

= Cannot Promote New Global Catalog When Conflict Naming Contexts Exist =

Article ID: 810089

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 1

-



SYMPTOMS
If a directory partition is removed (the last domain controller for that context is demoted to a member server), and is then re-created before replication is completed, lingering phantoms may be incorrectly referred to by a crossRef object. This condition can cause replication errors, and may prevent you from promoting a new global catalog. See the &quot;More Information&quot; section in this article for definitions of terms and sample Directory Services event log entries.

Note that the Windows 2000 Service Pack 3 hotfixes that are listed in the &quot;References&quot; section of this article do not permit the Ntdsutil.exe tool to fix this problem.

The update that this article describes is a preventative fix; the fix is intended only to prevent the problem from occurring. For additional information about how to correct this problem if it has already occurred, click the following article number to view the article in the Microsoft Knowledge Base:

814202 The Ntdsutil Semantic Checker Cannot Rename Conflict-Mangled Phantom Names



CAUSE
Inbound replication of a new crossRef object is delayed when the nCName value matches an existing object. However, if the nCName value matches an existing phantom, the value may be attached to an old naming context. When later references to the correct (new) naming context are replicated in, the existing name is &quot;mangled&quot; to reflect that it is in conflict.



RESOLUTION
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version        Size     File name 16-Feb-2003 14:30  5.0.2195.6613  124,176  Adsldp.dll 16-Feb-2003 14:30  5.0.2195.6601  130,832  Adsldpc.dll 26-Feb-2003 09:40  5.0.2195.6667   62,736  Adsmsext.dll 26-Feb-2003 09:40  5.0.2195.6672  378,640  Advapi32.dll 16-Feb-2003 14:30  5.0.2195.6611   49,936  Browser.dll 16-Feb-2003 14:30  5.0.2195.6663  135,952  Dnsapi.dll 16-Feb-2003 14:30  5.0.2195.6663   96,528  Dnsrslvr.dll 16-Feb-2003 14:30  5.0.2195.6661   46,352  Eventlog.dll 16-Feb-2003 14:30  5.0.2195.6627  148,240  Kdcsvc.dll 20-Feb-2003 14:11  5.0.2195.6666  204,560  Kerberos.dll 02-Dec-2002 17:09  5.0.2195.6621   71,888  Ksecdd.sys 24-Jan-2003 12:40  5.0.2195.6659  509,712  Lsasrv.dll 24-Jan-2003 12:41  5.0.2195.6659   33,552  Lsass.exe 05-Feb-2003 06:59  5.0.2195.6662  109,328  Msv1_0.dll 16-Feb-2003 14:30  5.0.2195.6601  312,592  Netapi32.dll 16-Feb-2003 14:30  5.0.2195.6627  360,720  Netlogon.dll 26-Feb-2003 09:40  5.0.2195.6672  929,552  Ntdsa.dll 26-Feb-2003 09:40  5.0.2195.6666  392,464  Samsrv.dll 26-Feb-2003 09:40  5.0.2195.6672  131,344  Scecli.dll 26-Feb-2003 09:40  5.0.2195.6671  306,448  Scesrv.dll 16-Feb-2003 14:30  5.0.2195.6601   51,472  W32time.dll 16-Aug-2002 03:32  5.0.2195.6601   57,104  W32tm.exe 26-Feb-2003 09:40  5.0.2195.6666  125,200  Wldap32.dll Note this update is required on only the computer that holds the domain naming master role.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

Phantom
This is an object that has been deleted, and whose tombstone lifetime has passed. However, references to the object are still present in the directory database. Phantom objects are special kinds of internal database tracking objects that you cannot view through any LDAP or Active Directory Service Interface (ADSI) tool.

CrossRef
These are objects of the crossRef class that identify the existance and location of all directory partitions, and permit domain controllers to be aware of forest-wide directory partitions. These objects are stored in the Configuration container, and are replicated to every domain controller in the forest. Each crossRef object has a &quot;nCName&quot; (naming context, or directory partition) attribute. These must be unique.

Error Message That You Receive When You Try to Promote a New Global Catalog
Event Type: Informational

Event Source: NTDS Replication

Event Category: Replication

Event ID: 1559

Date:

Time:

User: Everyone

Computer:

A request has been made to promote this DSA to a Global Catalog (GC). A precondition to becoming a GC is that this server host a read-only copy of all partitions in the enterprise. This server should hold a copy of partition DC=&quot;domainCNF: &quot;,DC=com but it does not. This system will not be promoted to a GC until this condition is met.

This may be because the KCC has not run, or that it is unable to add a replica of the partition because all of its sources are down. Please check the event log for KCC errors.

The KCC will retry adding the replica.

Replication Error Messages
Event Type: Error

Event Source: NTDS Replication

Event Category: Replication

Event ID: 1645

Date:

Time:

User: Everyone

Computer:

Description:

The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is ._msdcs.domain.com The SPN being used is  / /domainCNF: .com@domainCNF: .com

Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.

Event Type: Warning

Event Source: NTDS KCC

Event Category: (1)

Event ID: 1265

Date:

Time:

User: Everyone

Computer:

Description:

The attempt to establish a replication link with parameters Partition: CN=Configuration,DC=domain,DC=com Source DSA DN: CN=NTDS Settings,CN=DC_NAME,CN=Servers,CN=Sites,CN=Configuration,DC=domain,DC=dom Source DSA Address: ._msdcs.domain.com Inter-site Transport (if any):

failed with the following status: The DSA operation is unable to proceed because of a DNS lookup failure. The record data is the status code. This operation will be retried.

Data:

0000: 4c 21 00 00 L!..

This is 8524 decimal (ERROR_DS_DNS_LOOKUP_FAILURE)

