Event ID 3 — Domain Controller Availability
.jpg "red")
A Windows EBS domain controller is a server that is running a version of Windows Server 2008 and that has Active Directory Domain Services (AD DS) installed. In Windows EBS, the Management Server and the Messaging Server must be domain controllers. Several checks are made to ensure that the domain controllers are in compliance with the licensing agreement.
Event Details
| Product: | Windows Operating System |
| ID: | 3 |
| Source: | Microsoft-Windows-Server Infrastructure Licensing |
| Version: | 6.0 |
| Symbolic Name: | LIC_ENFORCEMENT_FSMOCHECK_ERROR |
| Message: | The FSMO Role Check in the Licensing component did not pass because error %1 occurred in function %2. %r%3%rMake sure that your DNS server can be contacted and the following services are running: Active Directory Domain Services (NTDS), DNS Server (DNS), Kerberos Key Distribution Center (KDC). This server will be automatically shut down if the issue is not corrected. |
Diagnose
This error might be caused by one of the following conditions:
- One or more of the required services in AD DS are not running.
- A network connectivity problem exists with a Windows EBS domain controller.
- A domain controller is not configured correctly.
- AD DS is not configured correctly.
One or more services in Active Directory Domain Services are not running
To view the services that are running on the domain controller
- Click Start, click Control Panel, double-click Administrative Tools, and then double-click Services.
- Ensure that the following services are running:
- Active Directory Domain Services (NTDS)
- Kerberos Key Distribution Center (KDC)
- DNS Server (DNS)
Note: If Windows EBS is managing DNS, ensure that the service is running on the Management Server and the Messaging Server. If another server is managing DNS, ensure that the DNS server can be contacted.
Use the information in "Start the Active Directory Domain Services" to ensure that the required services are running.
A network connectivity problem exists with a Windows EBS domain controller
To determine if there is a network connectivity problem with a Windows EBS domain controller, use the ping command.
Note: The following procedures include steps for using the ping command to perform troubleshooting. Therefore, before performing these steps, check whether the firewall or Internet Protocol security (IPsec) settings on your network allow Internet Control Message Protocol (ICMP) traffic. ICMP is the TCP/IP protocol that is used by the ping command.
To perform this procedure, you must belong to the local Administrators group, or you must have been delegated the appropriate authority.
To determine if there is a network connectivity problem with a domain controller
On a server in the network (other than the server you are attempting to ping), click Start, click Run, type cmd, and then click OK.
At the command prompt, type ping <ServerFQDN>, where <ServerFQDN> is the fully qualified domain name (FQDN) of the domain controller (for example, server1.contoso.com), and then press ENTER.
If the ping was successful, you will receive a reply similar to the following:
Reply from IP_address: bytes=32 time=3ms TTL=59Reply from IP_address: bytes=32 time=20ms TTL=59Reply from IP_address: bytes=32 time=3ms TTL=59Reply from IP_address: bytes=32 time=6ms TTL=59At the command prompt, type ping <IPAddress>, where <IPAddress> is the IP address of the domain controller, and then press ENTER.
If you cannot successfully ping the domain controller by IP address or by FQDN, see the section titled "Identify and fix network connectivity issues."
A domain controller is not configured correctly
The dcdiag tool analyzes the state of domain controllers in a forest or enterprise, and then it reports any problems to assist in troubleshooting. As an end-user reporting program, dcdiag encapsulates detailed knowledge about how to identify abnormal behavior in the system.
To view a report of the state of the domain controllers
Run the following command on the Management Server:
dcdiag /s:<ManagementServerName>
Replace <ManagementServerName> with the name of the Management Server.
Run the following command on the Messaging Server:
dcdiag /s:<MessagingServerName>
Replace <MessagingServerName> with the name of the Messaging Server.
For more information about using the dcdiag tool, see "Dcdiag" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=133110).
Use the information in "Configure the domain controller" to help resolve connectivity issues.
Active Directory Domain Services are not configured correctly
Use Event Viewer to search for AD DS related events, and refer to AD DS troubleshooting information at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136736).
You can also view AD DS troubleshooting information at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136737).
Configure AD DS settings by using the information in "Correct Active Directory Domain Services issues."
Resolve
To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly
Cause |
Resolution |
|---|---|
The domain controller cannot be contacted |
Identify and fix domain controller connectivity issues |
The domain controller is not configured correctly |
Configure the domain controller |
Active Directory Domain Services is not configured correctly |
Correct Active Directory Domain Services issues |
The required Active Directory Domain Services services are not running |
Start the required services for Active Directory Domain Services |
Identify and fix domain controller connectivity issues
To resolve this issue, identify and fix any network connectivity problems between the domain controllers and the other computers in the network.
Note: The following procedures include steps for using the ping command to perform troubleshooting. Therefore, before performing these steps, check whether the firewall or Internet Protocol security (IPsec) settings on your network allow Internet Control Message Protocol (ICMP) traffic. ICMP is the TCP/IP protocol that is used by the ping command.
To perform these procedures, you must belong to the local Administrators group, or you must have been delegated the appropriate authority.
If you can successfully ping the domain controller by IP address, but not by FQDN, this indicates a possible issue with DNS host name resolution. If you cannot successfully ping the domain controller by IP address, this indicates a possible issue with network connectivity, firewall configuration, or IPsec configuration.
The following are some additional troubleshooting steps that you can perform to help identify the root cause of the problem:
- Ping other computers on the network to help determine the extent of the network connectivity issue.
- If you can ping other servers but not the domain controller, try to ping the domain controller from another computer. If you cannot ping the domain controller from any computer, first ensure that the domain controller is running. If the domain controller is running, check the network settings on the domain controller.
- Check the TCP/IP settings on the local computer by doing the following:
- Click Start, click Run, type cmd, and then click OK.
- At the command prompt, type ipconfig /all, and then press ENTER. Make sure that the information listed is correct.
- Type ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with your network adapter.
- Type ping <IPAddress>, where <IPAddress> is the IP address assigned to the computer. If you can ping the localhost address but not the local address, there may be an issue with the routing table or with the network adapter driver.
- Type ping <DNSServer>, where <DNSServer> is the IP address assigned to the DNS server. If there is more than one DNS server on your network, you should ping each one. If you cannot ping the DNS servers, this indicates a potential problem with the DNS servers, or with the network between the computer and the DNS servers.
- If the domain controller is on a different subnet, try to ping the default gateway. If you cannot ping the default gateway, this might indicate a problem with the network adapter, the router or gateway device, the cabling, or the other connectivity hardware.
- In Device Manager, check the status of the network adapter. To open Device Manager, click Start, click Run, type devmgmt.msc, and then click OK.
- Check the network connectivity indicator lights on the computer and at the hub or router. Check the network cabling.
- Check the firewall settings by using the Windows Firewall with Advanced Security snap-in. For more information about troubleshooting and configuring Windows Firewall, see "Windows Firewall" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136738).
- Check the IPsec settings by using the IP Security Policy Management snap-in.
- Ensure the NTDS service is running on the domain controller.
Configure the domain controller
To resolve this issue, ensure that the Management Server and the Messaging Server are functioning as domain controllers. If both servers are domain controllers but are not functioning correctly, diagnose and fix problems using the Domain Controller Diagnostic Tool (dcdiag.exe).
Ensure that the Management Server and the Messaging Server are domain controllers
To view domain information, run the following command:
netdom /query DC
If the Management Server or the Messaging Server were demoted from being a domain controller by using the dcpromo tool, use dcpromo to promote the server to be a domain controller. For more information about using dcpromo, see "Dcpromo" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136741).
If the Management Server or the Messaging Server have stopped functioning as a domain controller because of corrupted data, it is recommended that you replace the server by using the Windows EBS Installation Wizard. For more information about replacing a server, see "Replacing a Server for Windows Essential Business Server" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=125657).
The dcdiag tool analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting. As an end-user reporting program, dcdiag encapsulates detailed knowledge about how to identify abnormal behavior in the system.
To view a report of the state of the domain controller, run the following command
dcdiag /s:<ServerName>
Replace <ServerName> with the name of the Management Server or the Messaging Server.
Correct Active Directory Domain Services issues
To resolve this issue, use the ntdsutil command-line tool to fix AD DS issues.
Ntdsutil provides management facilities for AD DS and Active Directory Lightweight Directory Services. You can use the ntdsutil commands to perform database maintenance of AD DS, to manage and control single master operations, and to remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.
For more information about using the ntdsutil tool, see "Ntdsutil" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=132629).
Start the required services for Active Directory Domain Services
To view the services that are running on the domain controller
- Click Start, click Control Panel, double-click Administrative Tools, and then double-click Services.
- Ensure that the following services are running:
- Active Directory Domain Services (NTDS)
- DNS Server (DNS)
- Kerberos Key Distribution Center (KDC)
- If any of these services are not running, right-click the service, and then click Start.
Verify
Query the domain controller for information
The netdom tool enables administrators to manage domains and trust relationships from the command line.
To view domain information, run the following command:
netdom /query DC
For more information about using the netdom tool, see "Netdom" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136703).
Diagnose the status of the domain controllers
The dcdiag tool analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting. As an end-user reporting program, dcdiag encapsulates detailed knowledge about how to identify abnormal behavior in the system.
To view a report of the state of the domain controller, run the following command:
dcdiag /s:<ServerName>
Replace <ServerName> with the name of the Management Server or the Messaging Server.
Test trust relationships and the state of domain controller replication in the domain
To test the domain controller, run the following command:
nltest /dsgetdc:%userDNSdomain%
UserDNSdomain is an environment variable that contains the name of your domain.
For more information about using the nltest tool, see "Nltest" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=136743).