Hi, I need help with the current AD of our organization, since this week, when creating a new user I keep getting the error message: Windows cannot verify that the username is unique because the following error occurred while contacting the global catalog: The Server is not operational I have the following set-up in my organization: AD01 (Windows 2003)- DC, Prim. DNS, GC (Domain Naming Opeartion Master) AD02 (Windows 2003)- DC, Sec. DNS, GC (RID, PDC, Infrastracture) AD03 (Windows 2003)- DC AD04 (Windows 2000)- DC, DHCP, former Sec. DNS AD05 (Windows 2000)- DC, GC, former Prim. DNS, Scema Master (first ever DC in the organization) Note: AD05 is Low on Disk Space and I cannot free up any more space on it since it was setup way before I started in the organization with only 4 Gig of total space in drive C one thing that I noticed is that I did get the error I mention above every time I turned AD05 off, but now even though AD05 is turned on I still get that error, not sure why? My other question is that Can I transfer the FMSO roles from one server to another? and when I transfer the role should I Seize that server or can I still leave it online? any help would be appreciated, Thank You.

HiYes you can transfer one FSMO role to another server and in your case I think it will be better if you transfer this role to AD01 and then demote that old server http://support.microsoft.com/default.aspx/kb/324801 please let me know you domain structure are you using 1 domain or multiple domains , if your environment contain one domain it’s ok to leave the GC with the infrastructure master role in the same server and if you are using multiple domain you have 2 choices a. To make all DCs GCs b. To make the infrastructure master role in A dc not GC

Hello,if you have a single forest domain like domain.com make all DCs GC, there is no problem with. Please run ddiag /v on the problem DC and post the complete output here. Transferring the FSMO roles can be done without any problem, seizing is only needed if a FSMO role holder isn't available anymore and will never be restored from a backup.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

We actually have two domains, and I cannot seem to transfer the Schema Master from AD05 to AD01, it gives me this error: The Transfer of the operation master role cannot be performed because: Only DSAs configured to be Global Catalog servers should be allowed to hold Domain Naming Master FSMO role. (Applies only to Windows 2000 servers), what does this mean?

I actually cannot run ant thing on AD05, since it gives me the error: Disk is full... is there any way that I can increase the Drive C of AD05? The server of AD05 has 3 hot swap Hard Disk (each 20 Gig) While in the Server it Self it has a Drive C that is 4 Gig and a Drive D that is 25 Gig. Any suggestions? Does the fact that AD05 is low on Disk Space has any thing to do with it? Thank You.

Hey please go to %systemdrive%\winnt\softwaredistribution\download and delete everything on it ,this folder conation all downloaded updates may it give you some space and clear cookies and temporary intent files I think in the worse case you can bring this DC offline and size the schema master role, I will searching for this error and feed you back

I did that, and transfered almost 800 MB worth of files from drive C to Drive D, then restated the Server, after restarting within 10-15 mins. the Drive C was full again and only has 1 MB of free space...

Please stop the automatic update services and make sure that the folder named download is empty

ok, i will check on the automatic update, by any chance, are you familiar with the errors that I posted? Thank You so much again for your help. =)

Hi I am searching in this issue but for now can you please try to transfer this role to another DC Like AD03 or AD02

I cannot seem to transfer this roles, it gives me this error: The Transfer of the operation master role cannot be performed because: Only DSAs configured to be Global Catalog servers should be allowed to hold Domain Naming Master FSMO role. (Applies only to Windows 2000 servers)

Hello, Transfer the Schema Master Role Click Start, click Run, type mmc in the Open box, and then click OK. On the File, menu click Add/Remove Snap-in. Click Add. Click Active Directory Schema, click Add, click Close, and then click OK. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK. In the console tree, right-click Active Directory Schema, and then click Operations Master. Click Change. Click OK to confirm that you want to transfer the role, and then click Close. For the schema master make sure to be connected on the correct DC. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller, type the name of the new schema role holder and choose OK.Please make all DCs Global catalog so no problem occurs with moving the FSMO roles.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

I try to do this procedure several times, but every time I get an error in step number 8 Transfer the Schema Master Role Click Start , click Run , type mmc in the Open box, and then click OK . On the File , menu click Add/Remove Snap-in . Click Add . Click Active Directory Schema , click Add , click Close , and then click OK . In the console tree, right-click Active Directory Schema , and then click Change Domain Controller . Click Specify Name , type the name of the domain controller that will be the new role holder, and then click OK . In the console tree, right-click Active Directory Schema , and then click Operations Master . Click Change .<-- The Transfer of the operation master role cannot be performed because: Only DSAs configured to be Global Catalog servers should be allowed to hold Domain Naming Master FSMO role. (Applies only to Windows 2000 servers) Click OK to confirm that you want to transfer the role, and then click Close .

Just another question, should changing the Schema or Domain Naming role cause any problem? I mean can I change this any time from one DC to another?

Hello,make sure to be connected to the correct DC:"For the schema master make sure to be connected on the correct DC. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller, type the name of the new schema role holder and choose OK."Moving this 2 FSMO roles shouldn't have any influence. If you change the PDCEmulator to a different machine you also have to reconfigure the choosen external time source or hardware clock. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

If you change the PDCEmulator to a different machine you also have to reconfigure the choosen external time source or hardware clock. What do you mean by this? Thanks.

Hello,as the PDCEmulator is the time source for the domain it should be configured to another machine(not domain memeber) or router or time server or it's internal hardware clock. If you change the PDCEmulator to another DC you have to reconfigure this also.See the following articles:http://technet.microsoft.com/en-us/library/cc786897(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc738042(WS.10).aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

What if I change the PDC from one server to another and set it back again?Such as it was originally at AD02 and I set it to AD01 then back to AD02 again...

Hello,if you are ready with all moves make sure the PDCEmulator is configured correct. Keep in mind that all domain machines must have the same time , at least for Kerberos the difference can not be under 5 minutes by default.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

Yes, I have checked, all the servers have the same time, another question regarding demoting server, If I demote AD05, I cannot turn it back on? what will happen if I turn it back on? and when demoting a server, should I do this disconnected from my network?

Hi all Sorry for the delay , I think it will be better if you take AD05 offline first then try to seize the schema master role and if it worked fine then delete the AD05 from your NTDS database and format it

Hello,demoting a server doesn't mean to remove it from the domain, it will become member server and can still be used as member server. There is no need to remove it.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

one other thing I noticed is that when I run dcdiag, at the end of the test it gives me the error: DcGetDcName(GC_SERVER_REQUIRED) call failed error 1355 A Global Catalog Server could not be located - All GC's are down, why does it give me this error when I have all mt GC's turned on?

Hello,have you ever lost a DC because of a crash or restored one from an image? Please run "netdom query fsmo", repadmin /showrepl on each DC and post the output here. Additional post an unedited ipconfig /all from them. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

How do I do this, from the command prompt?

Schema owner CBCAD01.cbcmain.cbc.china.ph Domain role owner CBCAD01.cbcmain.cbc.china.ph PDC role CBCAD02.cbcmain.cbc.china.ph RID pool manager CBCAD02.cbcmain.cbc.china.ph Infrastructure owner CBCAD02.cbcmain.cbc.china.ph The command completed successfully. C:\Documents and Settings\user1>repadmin /showrepl repadmin running command /showrepl against server localhost Default-First-Site-Name\CBCAD01 DC Options: IS_GC WARNING: Not advertising as a global catalog. Site Options: (none) DC object GUID: 62f18a1f-6fee-4a5e-806e-c94e510476ab DC invocationID: e5254475-6fc4-4bb8-a77e-8d389e95ff2e ==== INBOUND NEIGHBORS ====================================== DC=cbcmain,DC=cbc,DC=china,DC=ph Default-First-Site-Name\CBCZENMT via RPC DC object GUID: c3303923-9221-4140-b761-89985b9635c0 Last attempt @ 2010-03-11 09:59:37 was successful. Default-First-Site-Name\CBCNTPDC via RPC DC object GUID: 551a0e64-2b29-4f2b-90c3-b688bfd73958 Last attempt @ 2010-03-11 10:00:37 was successful. Default-First-Site-Name\CBCAD02 via RPC DC object GUID: 32c6d2d3-4232-4d87-8839-b91037658193 Last attempt @ 2010-03-11 10:01:15 was successful. CN=Configuration,DC=cbcmain,DC=cbc,DC=china,DC=ph Default-First-Site-Name\CBCAD02 via RPC DC object GUID: 32c6d2d3-4232-4d87-8839-b91037658193 Last attempt @ 2010-03-11 09:49:33 was successful. Default-First-Site-Name\CBCNTPDC via RPC DC object GUID: 551a0e64-2b29-4f2b-90c3-b688bfd73958 Last attempt @ 2010-03-11 09:54:37 was successful. Default-First-Site-Name\CBCZENMT via RPC DC object GUID: c3303923-9221-4140-b761-89985b9635c0 Last attempt @ 2010-03-11 09:58:37 was successful. CN=Schema,CN=Configuration,DC=cbcmain,DC=cbc,DC=china,DC=ph Default-First-Site-Name\CBCZENMT via RPC DC object GUID: c3303923-9221-4140-b761-89985b9635c0 Last attempt @ 2010-03-11 09:49:33 was successful. Default-First-Site-Name\CBCAD02 via RPC DC object GUID: 32c6d2d3-4232-4d87-8839-b91037658193 Last attempt @ 2010-03-11 09:49:33 was successful. Default-First-Site-Name\CBCNTPDC via RPC DC object GUID: 551a0e64-2b29-4f2b-90c3-b688bfd73958 Last attempt @ 2010-03-11 09:49:33 was successful. DC=DomainDnsZones,DC=cbcmain,DC=cbc,DC=china,DC=ph Default-First-Site-Name\CBCAD02 via RPC DC object GUID: 32c6d2d3-4232-4d87-8839-b91037658193 Last attempt @ 2010-03-11 09:49:34 was successful. DC=ForestDnsZones,DC=cbcmain,DC=cbc,DC=china,DC=ph Default-First-Site-Name\CBCAD02 via RPC DC object GUID: 32c6d2d3-4232-4d87-8839-b91037658193 Last attempt @ 2010-03-11 09:49:34 was successful. Source: Default-First-Site-Name\CBCMQSVR01 ******* 8 CONSECUTIVE FAILURES since 2010-03-11 08:09:26 Last error: 8524 (0x214c): The DSA operation is unable to proceed because of a DNS lookup failu re. Naming Context: DC=messagequeue,DC=cbc,DC=china,DC=ph Source: Default-First-Site-Name\CBCMQSVR01 ******* WARNING: KCC could not add this REPLICA LINK due to error.

I do not know of any domain crashes or restoration of any DC. So Ill have to say no.

Hello,are all DCs listed in AD UC and are the sites and subents configured to reflect the physical structure of your domain?CBCAD01 is no Global catalog server to the repadmin output. Please control all DCs if they are Global catalog servers according to:http://support.microsoft.com/?id=313994As you can see CBCMQSVR01is having replicaiton problems. Before the repadmin output on all DCs isn't error free you shouldn't go on with moving FSMO roles or thinking about upgrading the systems.Also run "dcdiag /v /c /d /e /s:DCName >c:\dcdiag.txt" and if possible add dcdiag.txt to Windows sky drive so we can verify it, otherwise post it here. BUT better use the sky drive as the output is really long.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

I noticed that CBCMQSVR01 is a orphan domain, and this was that cause on why even checking the global catalog box on other DC would not take effect. After properly removing CBCMQSVR01 from the list of domains, it all worked out properly. Thanks for all the help. =)

Hello,nice to hear that you found it. Did you follow this way to remove a complete orphaned DC from the AD database:http://support.microsoft.com/kb/555846/en-usBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.