Ever see the error
This Active Directory installation requires domain configuration changes, but whether these changes have been made on the domain controller xxx.domain.com is undetermined. The installation process has quit.
“The system cannot find the file specified.”
when doing a DCPROMO?
I was going through my emails trying to clean up and hit one where someone had that error. In general I try to help folks out, I realize that everyone is on a learning curve and that I wouldn’t be where I am if people hadn’t answered questions for me at one point and plus, I think we should be helping each other out with this stuff because the community really helps us move forward. None of would us be any good without the community and we would be fools to not realize that and try to help the community as well. To put it another way, everything I use was not invented or built by me so obviously I am standing on someone else’s shoulders and I expect others will stand on mine. It is a good thing to help them.
Now this can get out of hand I admit, I get hundreds of emails asking for help, I try to help everyone I can but there are just some that I have to say I am sorry to. I could easily spend all of my time doing free support so I put off a portion of my time to do some level of it. I would be a jerk being where I was with the knowledge I have if I did otherwise.
So back to the problem… I responded to the email and told the person to send me a network trace. 99.999999999% of the time issues like this become glaringly obvious when you get a network trace. Why? Because the machine is reaching across the network and asking for something and not getting it. Looking at a network trace helps you figure out what it isn’t getting… See how that works? 🙂
So usually when I ask for the trace I get one of three results.
The first is that the person says I don’t know how to do that or I can’t load that software on my machine, can you just tell me things to try… My response to that is always NO. If you aren’t willing to do what you can to properly troubleshoot, I am not going to try and guess on your behalf. I hate when I tell someone in the newsgroups to get a trace and then some idiot comes along and starts giving statements of it could be this this or this, try that that and that. If the person just got the trace, they would probably find out very quickly what the issue is and only have to do the one correct thing.
The second is that the person gets the trace, actually looks at it and sees the problem and sends me an email saying hey thanks, I figured it out. To them, I bow and say kudos, good job, this is how you get better.
The third is that they send me the trace. Often but not always I see the problem right away. This isn’t because I took the super duper network trace reading class. It is because whenever I get a chance, I look at network traces of things running right so I can get a feel of what is happening in the background and a feel for how things are supposed to look when going correctly. I didn’t start knowing what everything means and I don’t even start to pretend I know what everything means now. I am just a little less intimidated when going through them and looking at things and have learned things I can discount for the specific issue I am looking for. For instance, with this issue the problem is most likely LDAP or DNS so I shouldn’t need to focus on port 80 traffic. Unless I know for sure what protocol is involved I will not filter out protocols though; I could be wrong in my guess… I will focus on specific machines though, that does a lot to help out.
So I get the trace of the above problem and sure enough, the issue is plain to see… I actually reproduced it on one of my test networks so that I could show the packets here that show the issue without giving away someone else’s corporate info.
So what is the issue already you long winded beggar…
Part way through the DCPROMO process the promoting machine wants to find out who the infrastructure master is. So it queries the DC it is talking to with a base of [WKGUID=2FBAC1870ADE11D297C400C04FD8D5CD] (those brackets should be GT and LT symbols but wordpress will think that is an html tag). This will return the name of the Infrastructure container. The machine will then ask for that object AGAIN by name (I have no idea why, this should have been one LDAP call…) but this time ask for the fSMORoleOwner attribute. Once it has the value for that it will then ask AD for that object so it can get the dNSHostName.
Well in the case of this broken AD Promotion the object returned was for a DC that had failed and been deleted out of the directory with NTDSUTIL. So when the machine asked for this object it didn’t use the show deleted objects OID so it gets a NoSuchObject back and that blows out the whole promo process with the error I mentioned before – The system cannot find the file specified. Ok, so it isn’t a file that isn’t found. Yes I agree, the error message could be much better.
The problem would have been avoided had the FSMO role holders been checked prior to the promo process. You generally don’t want to leave FSMO roles on machines that no longer exist. Who knows what kind of things will break, well outside of this thing I just pointed out.
So here is what this looked like in Ethereal.
No.    Time       Source               Destination          Protocol Info
  2801 225.756831 192.168.0.118        192.168.0.119        LDAP    MsgId=46 Search Request, Base DN=CN=Infrastructure,DC=joeware,DC=local
Lightweight Directory Access Protocol
   SASL Buffer Length: 150
   SASL buffer
       GSS-API payload (104 bytes)
           LDAP Message, Search Request
               Message Id: 46
               Message Type: Search Request (0x03)
               Message Length: 88
               Response In: 2802
               Base DN: CN=Infrastructure,DC=joeware,DC=local
               Scope: Base (0x00)
               Dereference: Never (0x00)
               Size Limit: 0
               Time Limit: 0
               Attributes Only: False
               Filter: (objectClass=*)
               Attribute: fSMORoleOwner
No.    Time       Source               Destination          Protocol Info
  2802 225.760184 192.168.0.119        192.168.0.118        LDAP    MsgId=46 Search Entry, 1 result
Lightweight Directory Access Protocol
   SASL Buffer Length: 356
   SASL buffer
       GSS-API payload (309 bytes)
           LDAP Message, Search Entry
               Message Id: 46
               Message Type: Search Entry (0x04)
               Message Length: 271
               Response To: 2801
               Time: 0.003353000 seconds
               Distinguished Name: CN=Infrastructure,DC=joeware,DC=local
               Attribute: fSMORoleOwner
                   Value: CN=NTDS Settings\0ADEL:9565aef6-dbbc-4a9b-af15-49dfdf25dfff,CN=DC1\0ADEL:373a9d07-f6bb-4370-a939-6f1c0fa76683,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joeware,DC=local
           LDAP Message, Search Result
               Message Id: 46
               Message Type: Search Result (0x05)
               Message Length: 7
               Response To: 2801
               Time: 0.003353000 seconds
               Result Code: success (0x00)
               Matched DN: (null)
               Error Message: (null)
No.    Time       Source               Destination          Protocol Info
  2803 225.761389 192.168.0.118        192.168.0.119        LDAP    MsgId=47 Search Request, Base DN=CN=DC1\0ADEL:373a9d07-f6bb-4370-a939-6f1c0fa76683,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joeware,DC=local
Lightweight Directory Access Protocol
   SASL Buffer Length: 246
   SASL buffer
       GSS-API payload (200 bytes)
           LDAP Message, Search Request
               Message Id: 47
               Message Type: Search Request (0x03)
               Message Length: 184
               Response In: 2804
               Base DN: CN=DC1\0ADEL:373a9d07-f6bb-4370-a939-6f1c0fa76683,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joeware,DC=local
               Scope: Base (0x00)
               Dereference: Never (0x00)
               Size Limit: 0
               Time Limit: 0
               Attributes Only: False
               Filter: (objectClass=*)
               Attribute: dnsHostName
No.    Time       Source               Destination          Protocol Info
  2804 225.766572 192.168.0.119        192.168.0.118        LDAP    MsgId=47 Search Result, noSuchObject
Lightweight Directory Access Protocol
   SASL Buffer Length: 432
   SASL buffer
       GSS-API payload (385 bytes)
           LDAP Message, Search Result
               Message Id: 47
               Message Type: Search Result (0x05)
               Message Length: 369
               Response To: 2803
               Time: 0.005183000 seconds
               Result Code: noSuchObject (0x20)
               Matched DN: CN=DC1\0ADEL:373a9d07-f6bb-4370-a939-6f1c0fa76683,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joeware,DC=local
               Error Message: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'CN=DC1\0ADEL:373a9d07-f6bb-4370-a939-6f1c0fa76683,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=joeware,DC=local'\n
Hi,
This is the exact message I am getting when attempting a dcpromo on a server that was lost and rebuilt. However I dont understand what I am to do with the information you have provided. Can you please elaborate?
Thx
Steve
You need to validate that all of your roles are on valid DCs, if not, seize the roles to a valid DC.
I believe the rest of this answer is test for FSMO, then read the MS fix page.
c:\NETDOM QUERY FSMO
The system cannot find the file specified.
The command failed to complete successfully.
If you get this error (also a cannot find file!) then
read about the fix here.
255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
http://support.microsoft.com/?id=255504