joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

This Active Directory installation requires domain configuration changes, but whether these changes have been made on the domain controller xxx.domain.com is undetermined…

by @ 9:19 pm on 7/15/2006. Filed under tech

Ever see the error

This Active Directory installation requires domain configuration changes, but whether these changes have been made on the domain controller xxx.domain.com is undetermined. The installation process has quit.

“The system cannot find the file specified.”

when doing a DCPROMO?

I was going through my emails trying to clean up and hit one where someone had that error. In general I try to help folks out, I realize that everyone is on a learning curve and that I wouldn’t be where I am if people hadn’t answered questions for me at one point and plus, I think we should be helping each other out with this stuff because the community really helps us move forward. None of would us be any good without the community and we would be fools to not realize that and try to help the community as well. To put it another way, everything I use was not invented or built by me so obviously I am standing on someone else’s shoulders and I expect others will stand on mine. It is a good thing to help them.

Now this can get out of hand I admit, I get hundreds of emails asking for help, I try to help everyone I can but there are just some that I have to say I am sorry to. I could easily spend all of my time doing free support so I put off a portion of my time to do some level of it. I would be a jerk being where I was with the knowledge I have if I did otherwise.

So back to the problem… I responded to the email and told the person to send me a network trace. 99.999999999% of the time issues like this become glaringly obvious when you get a network trace. Why? Because the machine is reaching across the network and asking for something and not getting it. Looking at a network trace helps you figure out what it isn’t getting… See how that works? :)

So usually when I ask for the trace I get one of three results.

The first is that the person says I don’t know how to do that or I can’t load that software on my machine, can you just tell me things to try… My response to that is always NO. If you aren’t willing to do what you can to properly troubleshoot, I am not going to try and guess on your behalf. I hate when I tell someone in the newsgroups to get a trace and then some idiot comes along and starts giving statements of it could be this this or this, try that that and that. If the person just got the trace, they would probably find out very quickly what the issue is and only have to do the one correct thing.

The second is that the person gets the trace, actually looks at it and sees the problem and sends me an email saying hey thanks, I figured it out. To them, I bow and say kudos, good job, this is how you get better.

The third is that they send me the trace. Often but not always I see the problem right away. This isn’t because I took the super duper network trace reading class. It is because whenever I get a chance, I look at network traces of things running right so I can get a feel of what is happening in the background and a feel for how things are supposed to look when going correctly. I didn’t start knowing what everything means and I don’t even start to pretend I know what everything means now. I am just a little less intimidated when going through them and looking at things and have learned things I can discount for the specific issue I am looking for. For instance, with this issue the problem is most likely LDAP or DNS so I shouldn’t need to focus on port 80 traffic. Unless I know for sure what protocol is involved I will not filter out protocols though; I could be wrong in my guess… I will focus on specific machines though, that does a lot to help out.

So I get the trace of the above problem and sure enough, the issue is plain to see… I actually reproduced it on one of my test networks so that I could show the packets here that show the issue without giving away someone else’s corporate info.

So what is the issue already you long winded beggar…

Part way through the DCPROMO process the promoting machine wants to find out who the infrastructure master is. So it queries the DC it is talking to with a base of [WKGUID=2FBAC1870ADE11D297C400C04FD8D5CD] (those brackets should be GT and LT symbols but wordpress will think that is an html tag). This will return the name of the Infrastructure container. The machine will then ask for that object AGAIN by name (I have no idea why, this should have been one LDAP call…) but this time ask for the fSMORoleOwner attribute. Once it has the value for that it will then ask AD for that object so it can get the dNSHostName.

Well in the case of this broken AD Promotion the object returned was for a DC that had failed and been deleted out of the directory with NTDSUTIL. So when the machine asked for this object it didn’t use the show deleted objects OID so it gets a NoSuchObject back and that blows out the whole promo process with the error I mentioned before – The system cannot find the file specified. Ok, so it isn’t a file that isn’t found. Yes I agree, the error message could be much better.

The problem would have been avoided had the FSMO role holders been checked prior to the promo process. You generally don’t want to leave FSMO roles on machines that no longer exist. Who knows what kind of things will break, well outside of this thing I just pointed out.

So here is what this looked like in Ethereal.

No.     Time        Source                Destination           Protocol Info
   2801 225.756831  192.168.0.118         192.168.0.119         LDAP     MsgId=46 Search Request, Base DN=CN=Infrastructure,DC=joeware,DC=local
Lightweight Directory Access Protocol
    SASL Buffer Length: 150
    SASL buffer
        GSS-API payload (104 bytes)
            LDAP Message, Search Request
                Message Id: 46
                Message Type: Search Request (0x03)
                Message Length: 88
                Response In: 2802
                Base DN: CN=Infrastructure,DC=joeware,DC=local
                Scope: Base (0x00)
                Dereference: Never (0x00)
                Size Limit: 0
                Time Limit: 0
                Attributes Only: False
                Filter: (objectClass=*)
                Attribute: fSMORoleOwner
No.     Time        Source                Destination           Protocol Info
   2802 225.760184  192.168.0.119         192.168.0.118         LDAP     MsgId=46 Search Entry, 1 result

Lightweight Directory Access Protocol
    SASL Buffer Length: 356
    SASL buffer
        GSS-API payload (309 bytes)
            LDAP Message, Search Entry
                Message Id: 46
                Message Type: Search Entry (0x04)
                Message Length: 271
                Response To: 2801
                Time: 0.003353000 seconds
                Distinguished Name: CN=Infrastructure,DC=joeware,DC=local
                Attribute: fSMORoleOwner
                    Value: CN=NTDS Settings\0ADEL:9565aef6-dbbc-4a9b-af15-49dfdf25dfff,CN=DC1\0ADEL:373a9d07-f6bb-4370-a939-6f1c0fa76683,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joeware,DC=local
            LDAP Message, Search Result
                Message Id: 46
                Message Type: Search Result (0x05)
                Message Length: 7
                Response To: 2801
                Time: 0.003353000 seconds
                Result Code: success (0x00)
                Matched DN: (null)
                Error Message: (null)
No.     Time        Source                Destination           Protocol Info
   2803 225.761389  192.168.0.118         192.168.0.119         LDAP     MsgId=47 Search Request, Base DN=CN=DC1\0ADEL:373a9d07-f6bb-4370-a939-6f1c0fa76683,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joeware,DC=local

Lightweight Directory Access Protocol
    SASL Buffer Length: 246
    SASL buffer
        GSS-API payload (200 bytes)
            LDAP Message, Search Request
                Message Id: 47
                Message Type: Search Request (0x03)
                Message Length: 184
                Response In: 2804
                Base DN: CN=DC1\0ADEL:373a9d07-f6bb-4370-a939-6f1c0fa76683,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joeware,DC=local
                Scope: Base (0x00)
                Dereference: Never (0x00)
                Size Limit: 0
                Time Limit: 0
                Attributes Only: False
                Filter: (objectClass=*)
                Attribute: dnsHostName
No.     Time        Source                Destination           Protocol Info
   2804 225.766572  192.168.0.119         192.168.0.118         LDAP     MsgId=47 Search Result, noSuchObject

Lightweight Directory Access Protocol
    SASL Buffer Length: 432
    SASL buffer
        GSS-API payload (385 bytes)
            LDAP Message, Search Result
                Message Id: 47
                Message Type: Search Result (0x05)
                Message Length: 369
                Response To: 2803
                Time: 0.005183000 seconds
                Result Code: noSuchObject (0x20)
                Matched DN: CN=DC1\0ADEL:373a9d07-f6bb-4370-a939-6f1c0fa76683,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joeware,DC=local
                Error Message: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'CN=DC1\0ADEL:373a9d07-f6bb-4370-a939-6f1c0fa76683,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joeware,DC=local'\n

Rating 3.00 out of 5

3 Responses to “This Active Directory installation requires domain configuration changes, but whether these changes have been made on the domain controller xxx.domain.com is undetermined…”

  1. steve samuels says:

    Hi,
    This is the exact message I am getting when attempting a dcpromo on a server that was lost and rebuilt. However I dont understand what I am to do with the information you have provided. Can you please elaborate?

    Thx
    Steve

  2. joe says:

    You need to validate that all of your roles are on valid DCs, if not, seize the roles to a valid DC.

  3. DavidKirchner says:

    I believe the rest of this answer is test for FSMO, then read the MS fix page.

    c:\NETDOM QUERY FSMO
    The system cannot find the file specified.
    The command failed to complete successfully.

    If you get this error (also a cannot find file!) then
    read about the fix here.

    255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
    http://support.microsoft.com/?id=255504

[joeware – never stop exploring… :) is proudly powered by WordPress.]