?
Solved

DC's are not speaking to each other.

Posted on 2005-05-02
18
Medium Priority
?
2,588 Views
Last Modified: 2012-06-21
We have two domain controllers on our network.  One of them crashed and we restored it from backup.  Everything seemed to be working fine except all of a sudden we noticed all the users lost their rights to that server.  We dug a little deeper and noticed that one DC could replicate to the other but not the other way around.  Whenever we tried to replicate from 1 to 2 it worked but from 2 to 1 we received the following message.

The following error occurred during the attempt to synchronize naming context mkrs.com from domain controller server1 to domain controller server2:
The naming contex is in the process of being removed or is not replicated from the specified server.
This operation will not continue.

Can anyone give me some guidance or better yet, tell me how to fix this?

Thanks,
Jose

0
Comment
Question by:mkrsmis
18 Comments
 
LVL 11

Expert Comment

by:Eric
ID: 13911160
IS it an option to demote the DC and repromote it?
This has worked for me in the past when a restore did not work completly.  Or did you rebuild it from scratch and use DCPROMO to start with?
0
 

Author Comment

by:mkrsmis
ID: 13911216
I've tried to demote the both of the DC's but I haven't been able to.  I've used DCPROMO and I get the following errors.  If I mark it as the last domain controller I get...

This domain controller is not the last domain controller in the domain.

If I do not mark it as the last domain controller I get...

A domain controller could not be contacted for the domain domain.com that contained an account for this computer.  Make the computer a memeber of a workgroup then rejoin the domain before retrying the promotion.

From the other server I get the same message if I mark it as the last domain controller and a message stating that it could copy object to the other DC so it cannot remove Active Directory.
0
 
LVL 11

Expert Comment

by:Eric
ID: 13911285
dont demote both!  does the working server have all the roles assigned to it?

did you join the domain after the rebuild?
delete the computer account for the restored server out of active diretory users and computers.
Then rejoin the domain.  then try a dcpromo.

0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:mkrsmis
ID: 13911523
I was trying to demote one, when that failed I tried the other.  I can't demote either of them.  I tried to rejoin the domain but since it is a domain controller, it will not let me leave the domain to then try to rejoin it.
0
 
LVL 11

Expert Comment

by:Eric
ID: 13911552
What if you blow the server out, reload it and repromote it.  Give it a new name and never look back :o

Then you would have to edit AD to remove references to the old server if it still belives it exists..
I had to do that once.  Its not to bad, and I will help you find the step by step if you decide to take that route.

0
 

Author Comment

by:mkrsmis
ID: 13911573
I really would like to avoid that.  Can you think of anything else?
0
 
LVL 11

Expert Comment

by:Eric
ID: 13911599
see if all the master roles are possesed by the remaining server I think there are 5.  Plus the Global catalog
0
 

Author Comment

by:mkrsmis
ID: 13911618
Where can I see that and where would I make changes?
0
 
LVL 11

Expert Comment

by:Eric
ID: 13911706
You could do a force demote on the crappy one.    But first determine if the good one has the roles.
for roles:
open AD users and computers.  right click domain name and choose operations masters.
check RID, PDC, and infrastructure.
they need to all be your surviving DC.

In AD sites and services:
go all the way down to the NTDS settings, right click properites.  Make sure the surviving DC has global catalog checked.

I forget where the other two are.. look here
http://www.petri.co.il/determining_fsmo_role_holders.htm


See this link.   It mentioned doing the meta cleanup I talked about above.  
http://support.microsoft.com/default.aspx?scid=kb;en-us;332199&sd=tech

0
 
LVL 11

Expert Comment

by:Eric
ID: 13911731
Open active directory domains and trusts MMC.

right click and do "operations masters"  that is another one, just one more... hmmmm

Ahh its in that article above... with pictures and all :D
------------------------------------------------------
Finding the Schema Master via GUI

To find out who currently holds the Schema Master Role:

Register the Schmmgmt.dll library by pressing Start > RUN and typing:

regsvr32 schmmgmt.dll

Press OK. You should receive a success confirmation.

From the Run command open an MMC Console by typing MMC.

On the Console menu, press Add/Remove Snap-in.

Press Add. Select Active Directory Schema.

Press Add and press Close. Press OK.

Click the Active Directory Schema icon. After it loads right-click it and press Operation Masters.
-----------------------------
 

0
 
LVL 11

Expert Comment

by:Eric
ID: 13911750
And finally how to cleanup the meta data ...

http://support.microsoft.com/default.aspx?scid=kb;en-us;216498

0
 

Author Comment

by:mkrsmis
ID: 13911781
When I went in to check all of the above it showed error as the server.  I was able to transfer everything to the good server except the RID.  When I try that I get this message...

The requested FSMO operation failed.  The current FSMO holder could not be contacted.  The transfer of the current Operations Master could not be performed.
0
 
LVL 11

Accepted Solution

by:
Eric earned 2000 total points
ID: 13911809
Yuck.  that sucks.   Then you have to force it.

http://support.microsoft.com/kb/255504


:(

0
 
LVL 3

Expert Comment

by:miroofi75
ID: 13915846
format the bad server and rejoin to good server as per its previous role.

The last hope.

regards,


Imran
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 13917365
Sounds like a roles problem on the AD.

You can user adsiedit.msc to manually manipulate the roles and setting on your servers.

Open adsiedit.msc

Expand domain
Expand the domain that you need to update
Expand Domain Controllers, and ensure that both Domain controllers computer accounts are listed there.
Check the properties and settings of the "Attribute Editor" and the "Security tabs" of the two DC's and ensure that they have the same roles, obviously you can only have 1 PDC, but you may want to test the roles by setting up both a Primary, and see if they act according to the designed functions.
0
 

Author Comment

by:mkrsmis
ID: 13917508
After forcing DCPROMO, I was able to unjoin and rejoin the domain.  Then I added Active Directory and it is now working fine.

Thank you for all of your help and guidance.

Jose
0
 
LVL 11

Expert Comment

by:Eric
ID: 13918374
sweet.   Check you event logs.  iF its pissing and moaning about the old server missing, i strongly recommend doing the metafile cleanup.

some domain controllers are just jerks :)

Glad its working!
0
 

Expert Comment

by:wthero
ID: 25491149
Just to clarify, to force DCPROMO:
Start --> Run: "dcpromo /forceremoval
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question