Hello,
Im running an all Windows 2003 standard environment and I want to add a second domain controller with secondary DNS so that there is a level of redundancy.
Can someone please advise on the steps I should follow to get this done right?
Ive recently tried doing this but ran into many problems and ended up scrambling to reverse everything I had done to get back to point where things are as they should be with a single DC with DNS in the domain.
An overview of the steps I took previously were as follows:
1) I created the first domain controller (dc1) for domain (domain.loc).
2) I built a second server (dc2); I installed DNS as secondary zone then installed AD.
3) Promoted dc2 to be a second global catalog server.
4) I noticed dc2 was logging many event id 13555 and event id 13552 under the FRS log, the netlogon and sysvol shares were not being shared. So I managed to get those cleared up by googling FRS event 13555 13552 and trolling through different posts.
5) I noticed that dc2 was logging event id 2103 under the directory service log and that the netlogon service was being paused after startup. From reading
http://support.microsoft.com/kb/875495/en-us it looks like my only option is to remove AD from dc2 and then reinstall. Im guessing that Im seeing this problem here because of something stupid that I did in step 4.
6) I removed the global catalog role from dc2.
7) Ive noted that all FSMO roles belong to dc1
C:\>netdom /query fsmo
Schema owner DC1.domain.loc
Domain role owner DC1.domain.loc
PDC role DC1.domain.loc
RID pool manager DC1.domain.loc
Infrastructure owner DC1.domain.loc
The command completed successfully.
8) I then tried uninstalling AD from dc2 using dcpromo.exe but logged event id 2023 in the directory service log
The local domain controller was unable to replicate changes to the following remote domain controller for the following directory partition.
Remote domain controller:
referenceDC._msdcs.domain.
loc
Directory partition:
DC=DomainDnsZones,DC=domai
n,DC=loc
The local domain controller cannot complete demotion.
User Action
Investigate why replication between these two domain controllers cannot be performed. Then, try to demote this domain controller again.
Additonal Data
Error value:
8606 Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
Over on dc1, I was seeing event 1988 Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory database. Because I was running Windows 2003 on all domain controllers, I was given the option to run repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>".
So I got the GUID of the good/reference DC using repadmin /showrepl refDC. Then I ran the following to remove all lingering objects.
repadmin /removelingeringobjects * refDC DC=domain,DC=loc
repadmin /removelingeringobjects * refDC CN=Configuration,DC=domain
,DC=loc
repadmin /removelingeringobjects * refDC CN=Schema,CN=Configuration
,DC=domain
,DC=loc
repadmin /removelingeringobjects * refDC DC=DomainDnsZones,DC=domai
n,DC=loc
repadmin /removelingeringobjects * refDC DC=ForestDnsZones,DC=domai
n,DC=loc
Then I went back to dc2 and ran dcpromo.exe again. The process hung while trying to stop NETLOGON. So I tried once more and AD uninstalled successfully. I restarted dc2 (now a member server) and it started without event.
9) Soon after restarting dc2, the EXCHANGE 2003 server (mail1) started logging lots of events
Application: 2114 2103 2102 8026 8250 1053 1000 9176 9057 9143 9074 9154
System: 5719
One of these event suggested restarting the dc as soon as possible because a dc demotion was detected. Restarting dc1 cleared up these problems.
10) Now back on dc2, I was seeing DNS server events: 4007 4001 4015 so I uninstalled DNS on dc2.
11) Application log on dc2 had logged event id 53258. To correct this problem I did the following:
-Start | Run Regedit
-Locate the registry key HKLM\Software\Microsoft\MS
DTC.
-Right-click to MSDTC and select Permissions.
-Make sure the Network Service account is listed. Click Advanced button. Select Network Service and click Edit button, check "Create Subkey" and "Set Value" Permissions.
-Restart dc2.
12) Finally, running dcdiag and netdiag on dc1 comes up clean. So I believe Im at a point ready to try this all over again, the right way?!?
