I cannot promote this 2003 server as a DC with dcpromo. Can I have the local user's group be active directory without making it a domain controler? : Microsoft, 2003 Active Directory, 2003 SP 2, Domain controler issue

May 17, 2008 04:33am pdt

1. KCTS 421,222
2. LauraEHu... 314,971
3. Chris-Dent 136,127
4. oBdA 121,700
5. tigermatt 103,030
6. martin_b... 98,358
7. Jay_Jay70 93,861
8. toniur 93,817
9. mattee76 88,690
10. PlaceboC6 78,254
11. Netman66 72,368
12. Sembee 70,394
13. ryansoto 64,180
14. ChiefIT 61,672
15. RobSampson 60,645

1. KCTS 1,119,735
2. LauraEHu... 935,151
3. Jay_Jay70 420,548
4. toniur 368,040
5. oBdA 327,268
6. Sembee 318,473
7. Netman66 290,576
8. Chris-Dent 261,204
9. tigermatt 194,993
10. kamalgopi 170,528
11. Pber 161,830
12. TechSoEasy 157,616
13. aissim 155,199
14. leew 154,362
15. strongline 125,990

03.22.2008 at 06:54PM PDT, ID: 23262199

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.3

I cannot promote this 2003 server as a DC with dcpromo. Can I have the local user's group be active directory without making it a domain controler?

Zones: Windows 2003 Active Directory, Windows 2003 Server

Tags: Microsoft, 2003 Active Directory, 2003 SP 2, Domain controler issue

I have been trying to promote a 2003 server to be a domain controler. The only reason I would like to do this is so a very badly written application on the server can user directory services instead of the local users group.

I have tried several days to do this and I cannot get it to work.

As soon as the server is promoted, all the servers loose access to the sysvol and netlog shares from the domain share (not the DC's shares, just the domain share). DNS is working properly, and I can promote or demote any of my other servers normally.

As soon as I demote the server in question, I re-boot the other domain controlers and everything is fine.

OK, is there any way of replicating the directory services database without making the server a domain controler? Any other ideas? I'm fresh out and very tired

Start your free trial to view this solution

Question Stats

Zone: OS

Question Asked By: starmonkey

Solution Provided By: Jay_Jay70

Participating Experts: 3

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

03.22.2008 at 08:53PM PDT, ID: 21188615

Rank: Genius

Jay_Jay70:

no, AD will only replicate to Domain Controllers, thats the way its designed and the only way it will work....

can you shed some more details on what actually happens when you promote that server

Accepted Solution

03.22.2008 at 10:40PM PDT, ID: 21188832

starmonkey:

Everything goes well untill the netlogin service restarts, then anything within the sysvol or netlogon domain share is inaccessable. If I try to access \\<FQDN>\SYSVOL I get the following error:
configuratin could not be read from the domain controler, either because the machine is not available or access is denied.
I can access the SYSVOL share from any domain controler:
\\<DC name.FQDN>\SYSVOL
Except the newly promoted DC on where I get the same error.
The permissions on each DC's SYSVOL share are identical.

There is one error that caught my eye in the event log on the new DC:

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            3/22/2008
Time:            10:26:22 PM
User:            N/A
Computer:      MNHC-CPMM
Description:
The Security System detected an authentication error for the server <new DC.FQDN>. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0 ^..À

The DNS records are all OK.

The only other thing I can think of is the reverse DNS zone. My subnet mask is 255.255.240.0, so I have multiple reverse lookup zones for this subnet. The DC in question is in a diffrent reverse lookup zone, but the pointer record is there.

03.23.2008 at 06:44AM PDT, ID: 21189578

manu4u:

remove the share of sysvol and reshare it back ..
check kerberose Key distribution center service ..

If the errors only occur after the server has been rebooted, it is likely that a service is attempting to authenticate before the directory service is available.

http://support.microsoft.com/kb/824217

03.23.2008 at 02:16PM PDT, ID: 21190825

starmonkey:

I think something is wrong with certificate services and the certificatin authority. I'll post back when I find out more.

03.23.2008 at 10:47PM PDT, ID: 21192099

starmonkey:

OK, I've demoted the server for tonight, and recovered the network.

Something is wrong with file sharing on the server: If I set up a test share I can access it by \\servername, but not \\servername.domainname.org.
This happens even after the server was demoted.

any ideas; I'm tired and not thinking too clearly.

03.23.2008 at 11:29PM PDT, ID: 21192161

starmonkey:

Update: Performed NSLOOKUP for both servername and servername.domainname.org, and they resolve to the same address.
So much for a DNS issue.

03.24.2008 at 01:32AM PDT, ID: 21192431

matjm:

Hi there,

Can you try adding your domain as a DNS suffix on this machine? Let me know if you need to know where to configure this.

03.24.2008 at 11:17AM PDT, ID: 21195496

starmonkey:

I think it already is:
in DNS tab of advanced network properties...
append primary and connectino specific DNS suffixes radio button selected; append parent suffixes of the primary DNS suffix box checked.

I will try to manually enter the DNS suffix, and post back

03.24.2008 at 11:37AM PDT, ID: 21195669

starmonkey:

No luck, same problem.

04.03.2008 at 05:24PM PDT, ID: 21278146

starmonkey:

I finally solved this issue by removing the member server freom the domain, renaming it, and re-joining it. There has got to be some stray info in AD messing it up.

20080236-EE-VQP-29 / EE_QW_2_20070628