Solved

Active Directory - The specified domain does not exist or could not be contacted

Posted on 2004-09-04
6
958 Views
Last Modified: 2008-01-09
I have a Win 2000 server that is old and needs replacement. I have a new machine, fresh install.
It has DNS, and uses itself as dns in network configuration. I have run DCPROMO and marked it as global catalog, confimed by event 1119. The old server is still flagged as Global Catalog.

The problem - if i shut the other server down I can no longer access Active Directory information. I cannot add permissions to shares and I cannot view the Active Diretory tree for the domain.

But if I open Active Diretory Users And Computers, Click Action and Connect to Domain Controller and select the new machine I have the whole active diretory tree there, even with the old server down.

I am now terrified of a hardware failure. So far everything is working (both machines up) but I need to be able to turn the old server off. It will fail soon.

Thanks for the help, Roberto.
0
Comment
Question by:rmaranhao
6 Comments
 
LVL 23

Expert Comment

by:adilkhan
ID: 11981590
Maybe You Should Run Dcpromo on the OLD Machine and demote it.
0
 
LVL 23

Expert Comment

by:adilkhan
ID: 11981591
and one more thing.
When you Ran Dcpromo on the New MAchine, which option did you choose?

Make sure you choosed Addition Domain in the Exisiting Domain.
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 11981856
rmaranhao
You need to transfer the FSMOs off the old DC and decommission it gracefully

Read this:
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part1/dsgch07.mspx
Use the section "Using the Ntdsutil Tool for Role Placement"

DON'T sieze the roles, transfer them.

Once you have transferred the roles, run DCPROMO on the old machine and fully the wizard to remove AD from it, then remove it from the domain.

Cheers

JamesDS
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 5

Author Comment

by:rmaranhao
ID: 11982274
I chose aditional domain controller. What chills my spine when I think about seizing the role is this: If I demote the old machine and my problem I DNS related, then my networks goes .....

How can I be shure I have the correct settings in the new machine? Why doesn't the new machine allow me to see the active directory tree? I haven't made any changes to the active diretory and so far I am not worried about errors when an user tries to change his/her password.

What concerns me is that I have a new machine, running AD and DNS and when the old machine is down ALL the Active Directory functions, including domain logon, fail.

James, I read the link you sent and undestood most of it. Please correct me if I'm wrong but shoudn't the new machine at least authenticate user logons ?

Thanks for all the help.
Roberto
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11983791
If the new DC is running DNS and it is configured for dynamic update, then once GC and all the FSMO roles are TRANSFERRED (NOT SIEZED) there is no reason why the old one cannot be taken down.

The reason your logons are failing is likely due to the database not fully replicating - which is probably DNS related.

Make sure that the DNS service for the new DC contains the full AD zone tree and all the _MSDCS entries for your domain.
Also make sure that the content of the SYSVOL Folders on each machine are the same - SYSVOL contains your GPOs and is usually the last thing to be replicated.

Use the REPLMON tool from the support tools pack of the CD (\support) to connect to each DC and see if it is replicating ok, you can rightclick on each DC and select replicate this DC and also kick off the topology generator

So long as the AD is replicated to the second DC then even if it all fails it is still recoverable without the need to restore (I have done a few of those!)

Cheers

JamesDS
0
 
LVL 82

Expert Comment

by:oBdA
ID: 11985001
At the moment, your problem is here: "It has DNS, and uses itself as dns in network configuration." Since this is an additional DC, its first DNS entry should point to your first DNS server, and only the secondary DNS entry should point to itself. Your first DC should only point to itself.

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036

As for shutting down the old server, there's basically no need to transfer the roles from the W2k machine manually; but under *no* circumstances simply shut it down and throw it away or install something else on it, like it was possible in NT4. Demote the W2k DC first, and the FSMO roles should be transferred during this process. Once you run dcpromo to demote the old server, it will move the FSMO roles that are still on the DC you're demoting.
====8<----[KB238369]----
Removing Active Directory from a Domain Controller
NOTE: When a domain controller is demoted, if it is not the last domain controller in the domain, it performs a final replication and then transfers the roles to another domain controller.
====8<----[KB238369]----

Then depending on your DNS setup (if you have a primary zone on your first DNS and a secondary on your second), you might have to change the SOA in your DNS from your old DNS to the new one.

HOW TO: Promote and Demote Domain Controllers in Windows 2000
http://support.microsoft.com/?kbid=238369

Here's some more about transferring roles:

Flexible Single Master Operation Transfer and Seizure Process
http://support.microsoft.com/?kbid=223787

HOW TO: View and Transfer FSMO Roles in the Graphical User Interface
http://support.microsoft.com/?kbid=255690

FSMO Placement and Optimization on Windows 2000 Domain Controllers
http://support.microsoft.com/?kbid=223346
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A procedure for exporting installed hotfix details of remote computers using powershell
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now