Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. You can't install a global catalog on a domain controller in Windows

You can't install a global catalog on a domain controller in Windows

View products that this article applies to.

This article describes an issue that prevents you from successfully installing a global catalog on a domain controller. This issue occurs in a Windows Server 2003 or Windows 2000 environment. To troubleshoot this issue, you can check the Domain Controller Diagnostics tool (dcdiag.exe) report, the event log, network ports, and DNS records.

↑ Back to the top

Symptom 1

You experience Exchange Server errors after you lose the operations master (also known as flexible single master operations, or FSMO) role owner and global catalog. In this situation, you seize all the operations master roles except for the Domain Naming Master, and then you receive the following response:
fsmo maintenance: seize domain naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x35(53 (Unwilling To Perform).
Ldap extended error message is 0000214B: SvcErr: DSID-032107C5, problem 5003
LL_NOT_PERFORM), data 0

When a 0x214b Win32 error is returned, this may indicate a connection, LDAP, or role transfer error, depending on the specific error code. Role seizure is forbidden in this situation.

Note Only DSAs that are configured as global catalog servers should be able to hold the domain naming master operations master role.

Then, you view the removing nonexistent child domains. However, this triggers the following error:
select operation target: q
metadata cleanup: select operation target
select operation target: list domains
Found 3 domain(s)
0 - DC=domainComponent,DC=com
1 - DC=domainComponent,DC=domainComponent,DC=com
2 - DC=domainComponent,DC=domainComponent,DC=com
select operation target: select domain 2
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainComponent,DC=com
Domain - DC=domainComponent,DC=domainComponent,DC=com
No current server
No current Naming Context
select operation target: q
metadata cleanup: remove selected domain
DsRemoveDsDomainW error 0x20ab(The cross reference for the specified naming cont
ext could not be found.)
metadata cleanup:


You try to delete the entries for the Sev and MA child domains, per the details in Removing non-existent domain with Ntdsutil.exe generates "DsRemoveDsDomainW Error" error message. However, you cannot delete the entries in ADSIEdit because of a "referral was returned from the server" error.

You cannot change global catalog occupancy requirements and advertisement time, but the global catalog will not be installed on a member server.

Symptom 2

You configure a Windows 2000-based server or a Windows Server 2003 domain controller as a global catalog server by selecting the check box for the CN=NTDS Setting object. However, the domain controller cannot advertise itself as a global catalog, and the following events are logged every 30 minutes:

Note To become a global catalog server, the server must host a read-only copy of all partitions in the enterprise. This server should hold a copy of the DC=child, DC=root, DC=com partition. However, it does not. Therefore, the domain controller is not installed to a global catalog server until this condition is met.

This issue may occur if the Knowledge Consistency Checker (KCC) is not running or if it cannot add a replica of the partition because all its sources are down. In this situation, the following event for KCC errors is logged:

Note The KCC will retry adding the replica.

A parameter is used to control how strictly the directory enforces the partition occupancy requirement. The parameter is located under the following registry subkey:
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Partition Occupancy

The levels are listed as follows:
  • Level 0: No occupancy requirement
  • Level 1: At least one read-only partition in site added by the KCC
  • Level 2: At least one partition in site synchronized fully
  • Level 3: All read-only partitions in site added by the KCC (at least one synchronized)
  • Level 4: All partitions in site synchronized fully
Note The higher levels include the requirements of the lower levels. The current occupancy requirement is 4. This server is currently at level 0.

If you want to install the global catalog immediately without enforcing this precondition, set the registry entry to a DWORD value of 0 in the following registry subkey:
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Delay Advertisement (sec)

The global catalog will be installed on the next attempt to check preconditions. This value can also be set to the maximum number of seconds that the DSA will wait before you install a global catalog.

An event that resembles the following is logged every 15 minutes:

Note The error description may vary. The 1265 event may be recorded, and KCC may be unable to build a replication link. The operation may also fail with a status that resembles one or more of the following:
  • The DSA operation is unable to proceed because of a DNS lookup failure. We should resolve DNS problem.
  • The RPC server is unavailable. Normally indicates a network connectivity issue. Check if target DC is offline or if network port is blocked.
  • The target principal name is incorrect. Check the secure channel between the source and target domain controllers.
The following Error event is logged every hour:

Directory partition:
DC=root,DC=com <DN Path of missing partition>

As a precondition to becoming a global catalog server, a domain controller must host a read-only replica of all directory partitions in the forest. This event occurs because a Knowledge Consistency Checker (KCC) task has not been completed or because the domain controller cannot add a replica of the directory partition because of unavailable source domain controllers. An attempt to add the replica will occur again at the next KCC interval.

The following registry subkey defines the directory partition occupancy requirement level:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Partition Occupancy

Additionally, in the domain controller diagnostic log, this domain controller does not pass the Advertising test, and claiming that it does not advertise itself as a global catalog server. To run a domain controller diagnostic check, type the following command at a command prompt, and then press Enter:
dcdiag /v

Symptom 3

Consider the following scenario:
  • You have two domain controllers: a parent domain controller and a domain controller in a child domain.
  • The domain controllers crash so that you have to rebuild them.
  • You take the child domain offline.
In this scenario, you cannot install a global catalog on either of the domain controllers. Some references of the child domain still exist in Active Directory Domain Services (AD DS). Additionally, the following event is written to the event log: 


----- DCDIAG ----
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org
Role Domain Owner = CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org
Warning: CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org is the Domain Owner, but is deleted.
Role PDC Owner = CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org
Role Rid Owner = CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org
Role Infrastructure Update Owner = CN=commonName,CN=commonName,CN=Servers,CN=HB,CN=Sites,CN=Configuration,DC=hermosabch,DC=org
......................... HBP failed test KnowsOfRoleHolders
When you try to remove the orphaned domain object from the Active Directory Diagnostic Tool (Ntdsutil.exe), you receive the following error message:
DsRemoveDsDomainW error 0x20ab

When you seize the domain role owner and the schema master, and then you try to delete the child domain from Ntdsutil.exe, you receive the following error message:

Dsremovedsdomainw Error with Code 0x2077

Ntdsutil.exe shows the orphaned child domain object together with "DEL: GUID." When you try to clear or edit the value for the nCName attribute of the orphaned object, you receive the following error message:

The attribute cannot be modified because it is owned by system.

Symptom 4

Domain controllers do not advertise themselves as global catalogs. A connection on port 3268 is not possible.

In Event Viewer, you see the following events:

This directory server has not received replication information from several directory servers recently. The count of directory servers is shown and divided into the following intervals:
More than 24 hours: 2
More than a week: 2
More than one month: 2
More than two months: 2
More than a tombstone lifetime: 2
Tombstone lifetime (days): 180
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A domain controller that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and it may be automatically blocked from future replication until it is reconciled.

When you try to connect over ldp.exe to the domain controllers, you receive the following error message:

Error <0x51>: Fail to connect to DC01.

Additionally, the following error occurs in Domain Controller Diagnostics Tool (dcdiag.exe):

Promotion of the local domain controller to a global catalog has been delayed because the directory partition occupancy requirements have not been met.

The following event is logged:

As a precondition to becoming a global catalog, a domain controller must host a read-only replica of all directory partitions in the forest. This event might have occurred if a Knowledge Consistency Checker (KCC) task was not completed or if the domain controller cannot add a replica of the directory partition because of unavailable source domain controllers.

An attempt to add the replica will occur again at the next KCC interval.

↑ Back to the top

Cause

Cause of Symptom 1

Global catalogs host a read-only copy of objects from each domain partition in the forest. When a computer is selected to host the global catalog, the KCC on the computer that's being promoted uses its discretion to build connection objects from source domain controllers. The source domain controllers may consist of existing global catalogs in the forest or of domain controllers that host writable copies of every domain partition that resides in the forest. Domain partitions (all objects and a subset of attributes) are then incoming replicated from source domain controllers that are designated by the KCC to the new global catalog server over those connection links.

This issue may occur if one or more of the following conditions are true:
  • The configuration partition of the global catalog is installed, and other domain controllers in the forest contain a cross-reference object for a domain. However, no domain controllers for that domain exist in the forest.
  • Metadata for a source domain controller that's designated by the KCC exists in the forest but does not represent a domain controller that currently resides in the forest.
  • The source domain controller that's selected by the KCC on the global catalog that's being installed is offline or powered off.
  • The source domain controller that's selected by the KCC on the global catalog that's being installed is inaccessible over the network because of a lack of network connectivity (such as link down or port blockage).
  • Source domain global catalogs are constrained from acting as bridgeheads because a non-global catalog domain controller is incorrectly selected as a preferred bridgehead by an administrator.
  • The global catalog that's being installed cannot build a connection link from the selected source domain controller because of an error status in the event log.
  • The source domain controller cannot incoming-replicate over the connection link from a selected source domain controller because of an error status in the event log.
A domain controller is removed from the forest, but its data was not cleaned out. An orphaned domain that exists in the forest prevents the domain controller from finishing replication and from advertising itself as a global catalog server. The following issues could lead to an orphaned domain:
  • Active Directory are removed from all the domain controllers, but the domain partition cross-reference object still exists.
  • A directory partition is removed from a domain, but the directory partition is re-created before replication is complete. This causes lingering phantoms that are then referred to by a cross-reference object.
  • The domain-naming update for the domain may not have reached the domain controller that is experiencing the problem. Or, the domain-naming update for a domain that is newly promoted may not have reached any domain controllers outside the domain. This is a temporary problem.

Cause of Symptom 4

This issue occurs because a subdomain is not removed correctly from AD DS. The domain controllers cannot replicate with this subdomain and cannot obtain a ready-only replica of the domain partition. Therefore, they do not advertise themselves as global catalogs.

↑ Back to the top

Workaround for Symptom 1

To work around the issue, look up the FSMOROLEOWNER attributes for "CN=partitions, CN=Configuration,CN=domain,CN=" under ADSIedit.msc.

The attribute points to the following old domain naming master:
CN=commonName,CN=commonName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainComponent,DC=com

Change it to the NTDS settings object of the following new domain naming master:
CN=commonName,CN=commonName,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainComponent,DC=com

Then, you can delete the child domain objects under ADSIedit, and the global catalog is advertised. The Domain Controller Diagnostics Tool (dcdiag.exe) also comes out clean, and you can edit Exchange attributes and permissions.

Workaround for Symptom 2

Warning The registry suggestion in event 1578 warns that you should not enable a reduced occupancy level to artificially speed up global catalog promotion. We recommend that you resolve the Directory Service replication issue so that the global catalog is advertised automatically. To resolve this problem, first determine whether you're experiencing a replication delay, or whether there's actually an orphaned domain in the forest environment.

If there is an orphaned domain, NTDS KCC event 1265 logged in the directory service log. Use this event to determine the cause of the replication failure for the same domain partition. Make sure that network connectivity is good and that there are no network ports blocked, such as TCP 135. Check the DNS records, and make sure that the registered Host and SRV records are all good and clean. If there are garbage records, clear them out.

After replication between domain controllers is verified to be working correctly, and you've verified that there really is an orphaned domain, use the Ntdsutil.exe utility to clear the orphaned domain object. If there is any orphaned domain controller object for that domain, you can also delete the domain controller object. To delete an orphaned domain in AD DS, see How to remove orphaned domains from Active Directory.

If an orphaned domain controller object still exists in the orphaned domain, delete the domain controller object first. For more information, see How to remove data in Active Directory after an unsuccessful domain controller demotion.

Workaround for Symptom 3

To work around this issue, start in direct server return (DSR) mode, and then execute the semantic database analysis fix. After the fix is finished running, it reports the following error:

missing subrefs detected

If you restart in a standard mode, you still cannot delete the object until you change value for the nCName attribute to its parent domain. Then, the domain controller advertises itself as a global catalog server and as an Exchange server.

Workaround for Symptom 4

To work around this issue, see the How to clean up server metadata by using Active Directory Users and Computers.

↑ Back to the top

More Information

After you install a global catalog on a domain controller server, and the account and the schema information is replicated to the new global catalog server, event ID 1119 may be logged in the Directory Services log on the domain controller. The event description states that the computer is now advertising itself as a global catalog server.

To confirm that the domain naming master is a global catalog server, follow these steps:
  1. At a command prompt, type nltest /dsgetdc: Domain_name /server: Server_Name, and then press Enter.
  2. Verify that the server is advertising the GC flag.
For example, after you type the command, you receive a message that resembles the following when the GC flag is present:
DC: \\Server_Name
Address: \\IP Address
Dom Guid:
Dom Name: Domain_name
Forest Name: Domain_name.com
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE
The command completed successfully

Note The nltest tool is included in the Windows 2000 Support Tools. To install the Windows 2000 Support Tools, open the Support Tools folder on the Windows 2000 CD-ROM, and then run the Setup program. Additionally, you must log on as a member of the Administrators group to install these tools.

↑ Back to the top

Keywords: kbsurveynew, kbexpertiseadvanced, kbprb, kbtshoot, kb

↑ Back to the top

Article Info
Article ID : 3063705
Revision : 1
Created on : 1/7/2017
Published on : 6/24/2015
Exists online : False
Views : 1535