Operations Masters Shows ERROR when trying to move FSMO rolls.

Question

Hi All,

Started to notice problems with the Primary Domain Controller in that it was no longer replicating over to the Backup Domain Controller.

Ran Netdom query fsmo

PS C:\Users\Administrator> netdom query fsmo

Schema master TT-Mgmt.x****

Domain naming master TT-Mgmt.x****

PDC TT-Mgmt.x****

RID pool manager TT-Mgmt.x****

Infrastructure master TT-Mgmt.x****

The command completed successfully.

This PDC contains all FSMO Roles.

Next I Ran DCDiag

and came up with following errors:

PS C:\Users\Administrator> dcdiag /v

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

* Verifying that the local machine TT-Mgmt, is a Directory Server.

Home Server = TT-Mgmt

* Connecting to directory service on server TT-Mgmt.

* Identified AD Forest.

Collecting AD specific global data

* Collecting site info.

Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=TampaTitle,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=n

tDSSiteSettings),.......

The previous call succeeded

Iterating through the sites

Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxx

,DC=com

Getting ISTG and options for the site

* Identifying all servers.

Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=xxxx,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDS

Dsa),.......

The previous call succeeded....

No pages could not be obtained.

Run with /v mode to get detailed info

ldap_get_next_page_s failed after the above init

PS C:\Users\Administrator> repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\TT-MGMT

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 957ea0ab-xxxx-4c13-a14d-dad0f2a0451e

DSA invocationID: 957ea0ab-xxxx-4c13-a14d-dad0f2a0451e

DsReplicaGetInfo() failed with status 1127 (0x467):

While accessing the hard disk, a disk operation failed even after retries. 

LDAP error 1 (Operations Error) Win32 Err 110.

This is a Hyper-V VM running on Windows server 2012R2 .

I ran HDTune whch came back with no Hard Drive errors.

This is the event id; in AD DS:

TT-MGMT	476	Error	NTDS ISAM	Directory Service	7/23/2024 9:30:50 PM

NTDS (664) NTDSA: The database page read from the file "C:\Windows\NTDS\ntds.dit" at offset 15630336 (0x0000000000ee8000) (database page 1907 (0x773)) for 8192 (0x00002000) bytes failed verification because it contains no page data. The read operation will fail with error -1019 (0xfffffc05). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

TT-MGMT	4015	Error	Microsoft-Windows-DNS-Server-Service	DNS Server	7/23/2024 9:33:36 PM

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020EF: SvcErr: DSID-02060182, problem 5012 (DIR_ERROR), data -1019". The event data contains the error.

PS C:\Users\Administrator> sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.

Verification 100% complete.

Windows Resource Protection found corrupt files but was unable to fix some

of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For

example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not

supported in offline servicing scenarios.

CBS.LOG Section

=================================

Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-ie-ratings_31bf3856ad364e35_11.0.9600.20564_none_b47259595969339d\icrav03.rat do not match actual file [l:22{11}]"icrav03.rat" :

Found: {l:32 b:spVdk78E8YPUhG+DEOQVlFs0IkVVdAOnSoxGwO2xMJs=} Expected: {l:32 b:zW+HxvMZQlzIGdOo+HzxsveroP6yl5lWK3CxFjLo0W4=}

2024-07-23 22:00:34, Info CSI 00000961 [SR] Cannot repair member file [l:22{11}]"icrav03.rat" of Microsoft-Windows-IE-Ratings, Version = 11.0.9600.20564, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2024-07-23 22:00:34, Info CSI 00000962 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-ie-ratings_31bf3856ad364e35_11.0.9600.20564_none_5853bdd5a10bc267\icrav03.rat do not match actual file [l:22{11}]"icrav03.rat" :

Found: {l:32 b:spVdk78E8YPUhG+DEOQVlFs0IkVVdAOnSoxGwO2xMJs=} Expected: {l:32 b:zW+HxvMZQlzIGdOo+HzxsveroP6yl5lWK3CxFjLo0W4=}

2024-07-23 22:00:34, Info CSI 00000963 [SR] Cannot repair member file [l:22{11}]"icrav03.rat" of Microsoft-Windows-IE-Ratings, Version = 11.0.9600.20564, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2024-07-23 22:00:34, Info CSI 00000964 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-ie-ratings_31bf3856ad364e35_11.0.9600.20564_none_5853bdd5a10bc267\icrav03.rat do not match actual file [l:22{11}]"icrav03.rat" :

Found: {l:32 b:spVdk78E8YPUhG+DEOQVlFs0IkVVdAOnSoxGwO2xMJs=} Expected: {l:32 b:zW+HxvMZQlzIGdOo+HzxsveroP6yl5lWK3CxFjLo0W4=}

2024-07-23 22:00:34, Info CSI 00000965 [SR] Cannot repair member file [l:22{11}]"icrav03.rat" of Microsoft-Windows-IE-Ratings, Version = 11.0.9600.20564, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2024-07-23 22:00:34, Info CSI 00000966 [SR] This component was referenced by [l:160{80}]"Package_1397_for_KB5017367~31bf3856ad364e35~amd64~~6.3.1.13.5017367-2376_neutral"

2024-07-23 22:00:34, Info CSI 00000967 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-ie-ratings_31bf3856ad364e35_11.0.9600.20564_none_b47259595969339d\icrav03.rat do not match actual file [l:22{11}]"icrav03.rat" :

Found: {l:32 b:spVdk78E8YPUhG+DEOQVlFs0IkVVdAOnSoxGwO2xMJs=} Expected: {l:32 b:zW+HxvMZQlzIGdOo+HzxsveroP6yl5lWK3CxFjLo0W4=}

2024-07-23 22:00:34, Info CSI 00000968 [SR] Cannot repair member file [l:22{11}]"icrav03.rat" of Microsoft-Windows-IE-Ratings, Version = 11.0.9600.20564, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2024-07-23 22:00:34, Info CSI 00000969 [SR] This component was referenced by [l:158{79}]"Package_802_for_KB5017367~31bf3856ad364e35~amd64~~6.3.1.13.5017367-1295_neutral"

2024-07-23 22:00:34, Info CSI 0000096a [SR] Repair complete

2024-07-23 22:00:34, Info CSI 0000096b [SR] Committing transaction

======================================================

Question is this a problem with the virtual hard drive?

Should I try to seize the FSMO roles to the BPC and rebuild a another BDC?

Thanks in advance for your help.

Earl Martin

Answer 1

Hi Earl Martin1,

Thank you for posting in the Microsoft Community Forums.

Looking at the report it seems to be a corruption in the OS file, if it is a virtual machine. You can try to recreate a BDC domain control and transfer or seize the FSMO in full to the new domain control. Or try to repair the system files of the domain control in question.

Best regards

Neuvi Jiang

Answer 2

Dear Earl Martin,

good afternoon.

Do you have a copy of the NTDS.dat -file? This is the actual Active Directory database file and needs to be restored in /directory restore mode. If this is the problem.

This should not happen. There are literally billions and billions of power signals send every second in profound order. Sometimes one will collide on another creating a short. Normally this would not matter by all safety measures but sometimes a file becomes unrenderable.

Yours sincerely,

Bjarne Petersen

Answer 3

Thanks Bjarne,

Unfortunately, I didn't have a copy of the NTDS.dat file. I ended up using the Ntdsutil with the following commands:

Sign in to a domain controller which is inside the forest where the FSMO roles need to be transferred. Open the Start menu --> Run.Type ntdsutil and click OK.In the ntdsutil prompt, type roles and press Enter.Next, type connections and press Enter.Type connect to server<servername> and press Enter. <servername> refers to the name of the DC to which the roles are assigned.Type q at the server connections prompt and press Enter.Type seize<role> and press Enter. <role> refers to the role being seized.The commands to seize each of the five FSMO roles are given as follows.seize naming masterseize infrastructure masterseize rid masterseize schema masterseize pdcType q at the fsmo maintenance prompt and press Enter.Type q again at the ntdsutil prompt and press Enter to exit.

Before using the NTdsutil I tried using the Powershell commands but kept getting errors.

Thanks again for your and Neuvi Jiang's help with this.

Earl Martin

Answer 4

Dear Earl Martin,

good morning.

Hihihi,... I do think you have a copy of the NTDS.dat file. :-)

You say the PDC is starting to have troubles replicating to the BDC..... Where would that ntds-file be... (?) I think it needs to be on the BDC as well and there you go! Put it on the PDC through the active directory restore mode and you should be good to go!

Cheers and have fun!

Yours sincerely,

Bjarne Petersen