Microsoft KB Archive/810089

From BetaArchive Wiki

Article ID: 810089

Article Last Modified on 10/27/2006


APPLIES TO

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Service Pack 3
  • Microsoft Windows 2000 Service Pack 2
  • Microsoft Windows 2000 Service Pack 1


SYMPTOMS

If a directory partition is removed (the last domain controller for that context is demoted to a member server), and is then re-created before replication is completed, lingering phantoms may be incorrectly referred to by a crossRef object. This condition can cause replication errors, and may prevent you from promoting a new global catalog. See the "More Information" section in this article for definitions of terms and sample Directory Services event log entries.

Note that the Windows 2000 Service Pack 3 hotfixes that are listed in the "References" section of this article do not permit the Ntdsutil.exe tool to fix this problem.

The update that this article describes is a preventative fix; the fix is intended only to prevent the problem from occurring. For additional information about how to correct this problem if it has already occurred, click the following article number to view the article in the Microsoft Knowledge Base:

814202 The Ntdsutil Semantic Checker Cannot Rename Conflict-Mangled Phantom Names


CAUSE

Inbound replication of a new crossRef object is delayed when the nCName value matches an existing object. However, if the nCName value matches an existing phantom, the value may be attached to an old naming context. When later references to the correct (new) naming context are replicated in, the existing name is "mangled" to reflect that it is in conflict.

RESOLUTION

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support


NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 

   Date         Time   Version        Size     File name
   --------------------------------------------------------
   16-Feb-2003  14:30  5.0.2195.6613  124,176  Adsldp.dll  
   16-Feb-2003  14:30  5.0.2195.6601  130,832  Adsldpc.dll 
   26-Feb-2003  09:40  5.0.2195.6667   62,736  Adsmsext.dll
   26-Feb-2003  09:40  5.0.2195.6672  378,640  Advapi32.dll
   16-Feb-2003  14:30  5.0.2195.6611   49,936  Browser.dll 
   16-Feb-2003  14:30  5.0.2195.6663  135,952  Dnsapi.dll  
   16-Feb-2003  14:30  5.0.2195.6663   96,528  Dnsrslvr.dll
   16-Feb-2003  14:30  5.0.2195.6661   46,352  Eventlog.dll
   16-Feb-2003  14:30  5.0.2195.6627  148,240  Kdcsvc.dll  
   20-Feb-2003  14:11  5.0.2195.6666  204,560  Kerberos.dll
   02-Dec-2002  17:09  5.0.2195.6621   71,888  Ksecdd.sys
   24-Jan-2003  12:40  5.0.2195.6659  509,712  Lsasrv.dll  
   24-Jan-2003  12:41  5.0.2195.6659   33,552  Lsass.exe   
   05-Feb-2003  06:59  5.0.2195.6662  109,328  Msv1_0.dll  
   16-Feb-2003  14:30  5.0.2195.6601  312,592  Netapi32.dll
   16-Feb-2003  14:30  5.0.2195.6627  360,720  Netlogon.dll
   26-Feb-2003  09:40  5.0.2195.6672  929,552  Ntdsa.dll   
   26-Feb-2003  09:40  5.0.2195.6666  392,464  Samsrv.dll  
   26-Feb-2003  09:40  5.0.2195.6672  131,344  Scecli.dll  
   26-Feb-2003  09:40  5.0.2195.6671  306,448  Scesrv.dll  
   16-Feb-2003  14:30  5.0.2195.6601   51,472  W32time.dll 
   16-Aug-2002  03:32  5.0.2195.6601   57,104  W32tm.exe   
   26-Feb-2003  09:40  5.0.2195.6666  125,200  Wldap32.dll

Note this update is required on only the computer that holds the domain naming master role.


STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product


Definitions

Phantom

This is an object that has been deleted, and whose tombstone lifetime has passed. However, references to the object are still present in the directory database. Phantom objects are special kinds of internal database tracking objects that you cannot view through any LDAP or Active Directory Service Interface (ADSI) tool.

CrossRef

These are objects of the crossRef class that identify the existance and location of all directory partitions, and permit domain controllers to be aware of forest-wide directory partitions. These objects are stored in the Configuration container, and are replicated to every domain controller in the forest. Each crossRef object has a "nCName" (naming context, or directory partition) attribute. These must be unique.

Error Message That You Receive When You Try to Promote a New Global Catalog

Event Type: Informational
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1559
Date: mm/dd/yyyy
Time: hh:mm:ss AM/PM
User: Everyone
Computer: DC_NAME

A request has been made to promote this DSA to a Global Catalog (GC). A precondition to becoming a GC is that this server host a read-only copy of all partitions in the enterprise. This server should hold a copy of partition DC="domainCNF:old_domain_GUID",DC=com but it does not. This system will not be promoted to a GC until this condition is met.

This may be because the KCC has not run, or that it is unable to add a replica of the partition because all of its sources are down. Please check the event log for KCC errors.

The KCC will retry adding the replica.

Replication Error Messages

Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1645
Date: mm/dd/yyyy
Time: hh:mm:ss AM/PM
User: Everyone
Computer: DC_NAME
Description:
The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is GUID._msdcs.domain.com The SPN being used is GUID/GUID/domainCNF:old_domain_GUID.com@domainCNF:old_domain_GUID.com

Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.

Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1265
Date: mm/dd/yyyy
Time: hh:mm:ss AM/PM
User: Everyone
Computer: DC_NAME
Description:
The attempt to establish a replication link with parameters Partition: CN=Configuration,DC=domain,DC=com Source DSA DN: CN=NTDS Settings,CN=DC_NAME,CN=Servers,CN=Sites,CN=Configuration,DC=domain,DC=dom Source DSA Address: GUID._msdcs.domain.com Inter-site Transport (if any):

failed with the following status: The DSA operation is unable to proceed because of a DNS lookup failure. The record data is the status code. This operation will be retried.

Data:
0000: 4c 21 00 00 L!..
This is 8524 decimal (ERROR_DS_DNS_LOOKUP_FAILURE)

REFERENCES

For additional information about related items, click the following article numbers to view the articles in the Microsoft Knowledge Base:

258310 Viewing Deleted Objects in Active Directory


248047 Phantoms, Tombstones and the Infrastructure Master


For additional information about related hotfixes, click the following article numbers to view the articles in the Microsoft Knowledge Base:

281485 Name Collision in Active Directory Causes Replication Errors


319622 Ntdsutil.exe Semantic Checker "Can't Fix Mangled NC" Error Message in Windows 2000


Keywords: kbbug kbfix kbwin2000presp4fix kbqfe kbhotfixserver KB810089



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/810089&oldid=190526
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki