3 servers on this win2k domain...
Because of a HD crash I rebuit the machine using pieces of the raid set
(both drives died simultaniously) and got it working, I then had a USN
rollback problem so I demoted my mail server, did a metadata cleanup and
promoted again. That alowwed me to add users again and it seems OK but...
Now my Role holder event log is throwing KCC errors (event ID 1265) that
refer to DNS entries.
I found that the dsa address guid (cname) was different from the mail
server's dns entries so I deleted and created an identical record. but still
the 1265 error

DCDIAG run on both the Role holder and the mailserver in question skip the
mail server with the message "Not responding to directory service requests"

I can ping it by name or IP from any machine on the lan but I am at the end
of my experience now.

What would be the next step in resolving this?

In news:eT$w%23n$WGHA.3864@TK2MSFTNGP04.phx.gbl,
churchmouse@noemail.nospam <churchmouse@noemail.nospam> stated, which I
commented on below:
> 3 servers on this win2k domain...
> Because of a HD crash I rebuit the machine using pieces of the raid
> set (both drives died simultaniously) and got it working, I then had
> a USN rollback problem so I demoted my mail server, did a metadata
> cleanup and promoted again. That alowwed me to add users again and it
> seems OK but... Now my Role holder event log is throwing KCC
> errors (event ID 1265) that refer to DNS entries.
> I found that the dsa address guid (cname) was different from the mail
> server's dns entries so I deleted and created an identical record.
> but still the 1265 error
>
> DCDIAG run on both the Role holder and the mailserver in question
> skip the mail server with the message "Not responding to directory
> service requests"
> I can ping it by name or IP from any machine on the lan but I am at
> the end of my experience now.
>
> What would be the next step in resolving this?

I can't see how demoting a mail server will , unless it was a domain
controller. If that is the case, and you (assuming) reproted the DC into a
brand new domain, then I would also assume it would populate fresh data into
DNS, unless of course this was not the only DC in the domain. (Good reason
not to install Exchnage on a DC).

If you had a complete system state and Exchange backup, you could have
rebuilt the machine, then restored the system state, then restore Exchange,
then ran Exchange setup again with the setup /disasterrecovery switch.

If this is the only DC in the domain, and you've already lost your user
accounts, and you do not have backups, I would assume the best course of
action is to just rebuild from scratch and install Exchange (preferrably on
another machine), then disjoin and then rejoin the clients to the new
domain.

If you are trying to repair this, I would suggest to delete all the SRV
entries in DNS, and run ipconfig /registerdns, then restart the netlogon
service to repopulate the SRV records. If they are not populating
(registering) , (assuming that DNS is pointed to itself and the zone is
allowed updates, along with the domain is NOT a single label name), then
something else is going on, and if it's that far gone, a fresh rebuild may
be in order.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]

"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message
news:eOqJgPCXGHA.4484@TK2MSFTNGP02.phx.gbl...
> In news:eT$w%23n$WGHA.3864@TK2MSFTNGP04.phx.gbl,
> churchmouse@noemail.nospam <churchmouse@noemail.nospam> stated, which I
> commented on below:
>> 3 servers on this win2k domain...
>> Because of a HD crash I rebuit the machine using pieces of the raid
>> set (both drives died simultaniously) and got it working, I then had
>> a USN rollback problem so I demoted my mail server, did a metadata
>> cleanup and promoted again. That alowwed me to add users again and it
>> seems OK but... Now my Role holder event log is throwing KCC
>> errors (event ID 1265) that refer to DNS entries.
>> I found that the dsa address guid (cname) was different from the mail
>> server's dns entries so I deleted and created an identical record.
>> but still the 1265 error
>>
>> DCDIAG run on both the Role holder and the mailserver in question
>> skip the mail server with the message "Not responding to directory
>> service requests"
>> I can ping it by name or IP from any machine on the lan but I am at
>> the end of my experience now.
>>
>> What would be the next step in resolving this?
>
> I can't see how demoting a mail server will , unless it was a domain
> controller. If that is the case, and you (assuming) reproted the DC into a
> brand new domain, then I would also assume it would populate fresh data
> into DNS, unless of course this was not the only DC in the domain. (Good
> reason not to install Exchnage on a DC).
>
> If you had a complete system state and Exchange backup, you could have
> rebuilt the machine, then restored the system state, then restore
> Exchange, then ran Exchange setup again with the setup /disasterrecovery
> switch.
>
> If this is the only DC in the domain, and you've already lost your user
> accounts, and you do not have backups, I would assume the best course of
> action is to just rebuild from scratch and install Exchange (preferrably
> on another machine), then disjoin and then rejoin the clients to the new
> domain.
>
> If you are trying to repair this, I would suggest to delete all the SRV
> entries in DNS, and run ipconfig /registerdns, then restart the netlogon
> service to repopulate the SRV records. If they are not populating
> (registering) , (assuming that DNS is pointed to itself and the zone is
> allowed updates, along with the domain is NOT a single label name), then
> something else is going on, and if it's that far gone, a fresh rebuild may
> be in order.
>
> --
> Ace
>

Hello Ace . mmac here. Good to see you are still around.
The dcpromo was in response to the failure of the HD set. After the
repair, the server functioned and served mail but if I tried to add a user
it wouldn't populate to the mail server the event log error were for USN
rollback. The soution was to demote, and remove metadata that referred to
theat machine and repromote. So I seized the roles and did just that.
So it does seem to be a DNS issue and I'll follow your advice this
evening.
Since there are three DNS servers I assume that I should delete those
records from them all?
And then reregister just the mail server? -correct?

In news:OaOracLXGHA.4324@TK2MSFTNGP03.phx.gbl,
churchmouse@noemail.nospam.net <churchmouse@noemail.nospam.net> stated,
which I commented on below:
>
> Hello Ace . mmac here. Good to see you are still around.
> The dcpromo was in response to the failure of the HD set. After the
> repair, the server functioned and served mail but if I tried to add a
> user it wouldn't populate to the mail server the event log error were
> for USN rollback. The soution was to demote, and remove metadata that
> referred to theat machine and repromote. So I seized the roles and
> did just that. So it does seem to be a DNS issue and I'll follow
> your advice this evening.
> Since there are three DNS servers I assume that I should delete those
> records from them all?
> And then reregister just the mail server? -correct?

Hi Mike, nice to hear from you again!

I haven't seen a "USN rollback" error or msg yet. Did you follow this
article to fix it (which also includes a couple relevant Microsoft
articles):
http://www.jsifaq.com/SUBR/tip8900/rh8952.htm

As for DNS, all machines don't need to register other than DCs. If this is a
DC, it must register.

Ace

"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message
news:%232owaTVXGHA.3496@TK2MSFTNGP05.phx.gbl...
> In news:OaOracLXGHA.4324@TK2MSFTNGP03.phx.gbl,
> churchmouse@noemail.nospam.net <churchmouse@noemail.nospam.net> stated,
> which I commented on below:
>>
>> Hello Ace . mmac here. Good to see you are still around.
>> The dcpromo was in response to the failure of the HD set. After the
>> repair, the server functioned and served mail but if I tried to add a
>> user it wouldn't populate to the mail server the event log error were
>> for USN rollback. The soution was to demote, and remove metadata that
>> referred to theat machine and repromote. So I seized the roles and
>> did just that. So it does seem to be a DNS issue and I'll follow
>> your advice this evening.
>> Since there are three DNS servers I assume that I should delete those
>> records from them all?
>> And then reregister just the mail server? -correct?
>
> Hi Mike, nice to hear from you again!
>
> I haven't seen a "USN rollback" error or msg yet. Did you follow this
> article to fix it (which also includes a couple relevant Microsoft
> articles):
> http://www.jsifaq.com/SUBR/tip8900/rh8952.htm
>
> As for DNS, all machines don't need to register other than DCs. If this is
> a DC, it must register.
>
> Ace
>
Yes, I did follow the USN rollback procedure, though it was a bit above my
pay grade. (and there was a message to that effect way back in the log )

BTW The machine throwing the error is different from the machine that had
the problem.
Here is the error from DCDIAG on the offending (untouched) machine. (MAIL is
the machine that had the USN rollback.)
(P.S. Doesn't a mail server with AD have to be a DC?)
Testing server: Default-First-Site-Name\MAIL
Starting test: Connectivity
MAIL's server GUID DNS name could not be resolved to an IP address. Check
the DNS server, DHCP, server name, etc

Although the Guid DNS name
(de287dd9-8987-44b7-99b6-ddf74125c1d0._msdcs.mydomain.com) couldn't be
resolved, the server name (mail.mydomain.com) resolved to the IP address
(xxx.xxx.xxx.26) and was pingable. Check that the IP address is registered
correctly with the DNS server.

.......................... MAIL failed test Connectivity
Testing server: Default-First-Site-Name\MAIL

Skipping all tests, because server MAIL is not responding to directory
service requests

-mmac

In news:uxxI$FlXGHA.4184@TK2MSFTNGP03.phx.gbl,
churchmouse@noemail.nospam.net <churchmouse@noemail.nospam.net> stated,
which I commented on below:
>
> Yes, I did follow the USN rollback procedure, though it was a bit
> above my pay grade. (and there was a message to that effect way back
> in the log )
> BTW The machine throwing the error is different from the machine that
> had the problem.
> Here is the error from DCDIAG on the offending (untouched) machine.
> (MAIL is the machine that had the USN rollback.)
> (P.S. Doesn't a mail server with AD have to be a DC?)
> Testing server: Default-First-Site-Name\MAIL
> Starting test: Connectivity
> MAIL's server GUID DNS name could not be resolved to an IP address.
> Check the DNS server, DHCP, server name, etc
>
> Although the Guid DNS name
> (de287dd9-8987-44b7-99b6-ddf74125c1d0._msdcs.mydomain.com) couldn't be
> resolved, the server name (mail.mydomain.com) resolved to the IP
> address (xxx.xxx.xxx.26) and was pingable. Check that the IP address
> is registered correctly with the DNS server.
>
> ......................... MAIL failed test Connectivity
> Testing server: Default-First-Site-Name\MAIL
>
> Skipping all tests, because server MAIL is not responding to directory
> service requests
>
> -mmac

Pay grade? :-)

See if this ghows up anywhere under _msdcs folder:
de287dd9-8987-44b7-99b6-ddf74125c1d0._msdcs.mydomain.com

If not, run ipconfig /registerdns. Make sure the DNS address in IP
properties is only using this DNS.

As for Exchange on a DC? That's taboo. Highly recommend Exchange NOT be on a
DC.

Ace

"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message
news:%23GZPJnqXGHA.4768@TK2MSFTNGP04.phx.gbl...
> In news:uxxI$FlXGHA.4184@TK2MSFTNGP03.phx.gbl,
> churchmouse@noemail.nospam.net <churchmouse@noemail.nospam.net> stated,
> which I commented on below:
>>
>> Yes, I did follow the USN rollback procedure, though it was a bit
>> above my pay grade. (and there was a message to that effect way back
>> in the log )
>> BTW The machine throwing the error is different from the machine that
>> had the problem.
>> Here is the error from DCDIAG on the offending (untouched) machine.
>> (MAIL is the machine that had the USN rollback.)
>> (P.S. Doesn't a mail server with AD have to be a DC?)
>> Testing server: Default-First-Site-Name\MAIL
>> Starting test: Connectivity
>> MAIL's server GUID DNS name could not be resolved to an IP address.
>> Check the DNS server, DHCP, server name, etc
>>
>> Although the Guid DNS name
>> (de287dd9-8987-44b7-99b6-ddf74125c1d0._msdcs.mydomain.com) couldn't be
>> resolved, the server name (mail.mydomain.com) resolved to the IP
>> address (xxx.xxx.xxx.26) and was pingable. Check that the IP address
>> is registered correctly with the DNS server.
>>
>> ......................... MAIL failed test Connectivity
>> Testing server: Default-First-Site-Name\MAIL
>>
>> Skipping all tests, because server MAIL is not responding to directory
>> service requests
>>
>> -mmac
>
> Pay grade? :-)
>
> See if this ghows up anywhere under _msdcs folder:
> de287dd9-8987-44b7-99b6-ddf74125c1d0._msdcs.mydomain.com
>
> If not, run ipconfig /registerdns. Make sure the DNS address in IP
> properties is only using this DNS.
>
> As for Exchange on a DC? That's taboo. Highly recommend Exchange NOT be on
> a DC.
> Ace

on this machine de287dd9-8987-44b7-99b6-ddf74125c1d0 is not shown on
another it's a different number and at one time there were two numbers, this
one and another. How do I know that this number is correct?

Why is an exchange machine not recommended to be a DC (assuming that there
are other DC's of course) ?

In news:Onj2O9xXGHA.3868@TK2MSFTNGP04.phx.gbl,
churchmouse@noemail.nospam.net <churchmouse@noemail.nospam.net> stated,
which I commented on below:
> on this machine de287dd9-8987-44b7-99b6-ddf74125c1d0 is not shown on
> another it's a different number and at one time there were two
> numbers, this one and another.

That is the domain record under the _msdcs zone or folder, depending on
operating system skew.

> How do I know that this number is
> correct?

It should self register. I believe you can use LDP to determine the domain
GUID, but I forget the exact attribute or record to look for. However, if
you delete the system32\config\netlogon.dns and .dnb files, and restart the
netlogon service, it will recreate those two files. Open the netlogon.dns
file, and look for the _msdcs records and it will show you what the GUID
should be. That is the file that the netlogon service uses once assembled,
to registers into DNS.

>
> Why is an exchange machine not recommended to be a DC (assuming that
> there are other DC's of course) ?

Numerous reasons. Performance for one, backup and recoverability as well.
DCs kill the write-cache function on the drive to protect the AD database in
case of power failure and it cannot be changed back. This slows it down by
about 10%. Exchange is a heavy hitter, therefore an additional slow down,
and can affect domain functionality and email access during peak usage.

Recoverability as well. Ever loose a DC with Exchange on it? Recovering it
is complex.
You also cannot do a system state and an Exchange backup in the same job.
NTBACKUP caveat for Exchange and system state backups:
http://searchexchange.techtarget.com...-368&ad=532361

Besides, you're probably also running DNS on it too, and possibly WINS and
DHCP? If not, what else is running on it?
Also, if you ever wanted to demote the DC, you cannot without uninstalling
Exchange FIRST.

There are a few other reasons, but I believe these should be convincing.

Ace

"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message
news:uL2Pv8DYGHA.5004@TK2MSFTNGP02.phx.gbl...
> In news:Onj2O9xXGHA.3868@TK2MSFTNGP04.phx.gbl,
> churchmouse@noemail.nospam.net <churchmouse@noemail.nospam.net> stated,
> which I commented on below:
>> on this machine de287dd9-8987-44b7-99b6-ddf74125c1d0 is not shown on
>> another it's a different number and at one time there were two
>> numbers, this one and another.
>
> That is the domain record under the _msdcs zone or folder, depending on
> operating system skew.
>
>> How do I know that this number is
>> correct?
>
> It should self register. I believe you can use LDP to determine the domain
> GUID, but I forget the exact attribute or record to look for. However, if
> you delete the system32\config\netlogon.dns and .dnb files, and restart
> the netlogon service, it will recreate those two files. Open the
> netlogon.dns file, and look for the _msdcs records and it will show you
> what the GUID should be. That is the file that the netlogon service uses
> once assembled, to registers into DNS.
>
>>
>> Why is an exchange machine not recommended to be a DC (assuming that
>> there are other DC's of course) ?
>
> Numerous reasons. Performance for one, backup and recoverability as well.
> DCs kill the write-cache function on the drive to protect the AD database
> in case of power failure and it cannot be changed back. This slows it down
> by about 10%. Exchange is a heavy hitter, therefore an additional slow
> down, and can affect domain functionality and email access during peak
> usage.
>
> Recoverability as well. Ever loose a DC with Exchange on it? Recovering it
> is complex.
> You also cannot do a system state and an Exchange backup in the same job.
> NTBACKUP caveat for Exchange and system state backups:
> http://searchexchange.techtarget.com...-368&ad=532361
>
> Besides, you're probably also running DNS on it too, and possibly WINS and
> DHCP? If not, what else is running on it?
> Also, if you ever wanted to demote the DC, you cannot without uninstalling
> Exchange FIRST.
> There are a few other reasons, but I believe these should be convincing.
>
> Ace

Hoo Boy, this was a DC,GC, running Exchange2K, WINS, DNS and AntiSpyware.
AND it is the one I demoted (without removing exchange BTW). No wonder I've
had so much fun!

In news:uB62Q6WYGHA.4060@TK2MSFTNGP02.phx.gbl,
..:mmac:. <lost@sea> stated, which I commented on below:
>
> Hoo Boy, this was a DC,GC, running Exchange2K, WINS, DNS and
> AntiSpyware. AND it is the one I demoted (without removing exchange
> BTW). No wonder I've had so much fun!

This calls for a berr and shot of Crown Royal, not to celebrate, but to ease
the stress...

Ace

Amen Brother!

"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message
news:OZj%23ZMnYGHA.3832@TK2MSFTNGP04.phx.gbl...
> In news:uB62Q6WYGHA.4060@TK2MSFTNGP02.phx.gbl,
> .:mmac:. <lost@sea> stated, which I commented on below:
>>
>> Hoo Boy, this was a DC,GC, running Exchange2K, WINS, DNS and
>> AntiSpyware. AND it is the one I demoted (without removing exchange
>> BTW). No wonder I've had so much fun!
>
> This calls for a berr and shot of Crown Royal, not to celebrate, but to
> ease the stress...
>
> Ace
>
>
>
>