Solved

Failed Domain Controller

Posted on 2006-06-25
20
521 Views
Last Modified: 2010-08-05
I had a file server <svr2> (not a DC). It died.
I restored the files onto another PC, renamed it as the old server and plugged it into the newtork (so people could still access the files).
I built a new server W2K, copied all the files to this and put it on the network.
Removed the "temp" files server off the network and renamed it back.

I then made the new file server an additional DC.

All working fine...for a while.....

Then from that server, I cannot browse the network, web or anything....everyone however can see the server.
When I add a new user to AD on the PDC (exchange) those new users cannot see the file server (only existing users from AD)

I can ping everything so presume its a DNS issue. But I have looked and looked and looked for answers to fix it and end up chasing my tail....

I have done a netdiag and the output failures are below.

_____________________________________________________________

DC list test . . . . . . . . . . . : Failed
    [WARNING] Cannot call DsBind to svr2.mydomain.com.au (1.1.1.1). [ERROR_OUTOFMEMORY]


Trust relationship test. . . . . . : Failed
    [FATAL] Secure channel to domain 'MYDOMAIN' is broken. [ERROR_NO_TRUST_SAM_ACCOUNT]


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] Failed to query SPN registration on DC 'svr4.mydomain.com.au'.
    [FATAL] Cannot open an LDAP session to 'svr2.mydomain.com.au' at '1.1.1.1'.
    [WARNING] Failed to query SPN registration on DC 'mydomain.afcgroup.com.au'.
    [WARNING] Failed to query SPN registration on DC 'exchange.mydomain.com.au'.

____________________________________________________
I am thinking two things...is this really a problem with <svr2> or with the PDC <exchange>. i.e does the PDC have corrupt records from the name changes?

Also when I try to add any more DC's they cannot connect to <svr2> so DCPROMO fails!

Please Please HELP!


0
Comment
Question by:TNTdynamite
  • 11
  • 9
20 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16980935
you cannot just remove a DC that has failed, you need to seize the roles and perform a metada cleanup

http://www.petri.co.il/seizing_fsmo_roles.htm

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

you will also need to recreate your host record for the server and manually delete the old record from AD sites and Services
0
 

Author Comment

by:TNTdynamite
ID: 16981025
Thanks...so...
How do I know which FSMO roles SVR2 did if I want to sieze them back?
Which server should I perform this on?
What will it do to user access during this sieze?
All the others are working fine so I don't want to kill the PDC

When I try to do a metadata cleanup on the PDC...the DC is not listed. If I got to domain controllers in "AD Users & Computers" it is listed but has no NTFRS record.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981033
this will show you how to view the roles
http://support.microsoft.com/default.aspx?scid=kb;en-us;255690

you need to seize the roles on your now existing DC

it won't do anything to your user access

once you have seized the roles try ntdsutil again and see what happens
0
 

Author Comment

by:TNTdynamite
ID: 16981241
I have done this...all roles point to the PDC (already) I didn't have to change any.
The only thing is with the schema is there was an error (The current FSMO holder could not be contacted...operation could not be performed)

When I do ntdsutil do I "connect" to the working PDC or the SVR2 (the one with the problem)?
i.e which one do I "connect to" to seize from? if that makes sense?

Should I only be seizing the Schema?

It says this at the bottom of the ntsdutil instructions...

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

How do I know which is my GC server? I bacically run all services from the PDC.




0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981282
looks like you need to seize the schema role then, dont stress about that message below regarding the IF master, that is for multi levelled domains......

GC is found under sites and services, server - ntds settings - properties, you can see if your machine is a GC there, if it isnt, just tick the box....

you want to be connecting to the existing DC,

there is no such thing as a PDC and BDC with 2000 onwards, they are all equal machines
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981287
oh hang on a sec, i just read this Q again, your server in question wasn't a DC! lol!

when you get that shema master back up, run dcdiag for me again and we go from there  lol i feel like a tool
0
 

Author Comment

by:TNTdynamite
ID: 16981318
my main DC is the GC and also the IF master (but you recon that doesn't matter so thats cool)

I have 3 x DC's in Melb (one is the SVR2 crap one), one in Syd and one in Bris.

ran DCDIAG and got...

LDAP bind failed with error 31
A device attached to the system is not functioning

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981332
Hey an Aussie boy! i live in Sydney but am in Brisbane at the moment

which DC are you running the DCDIAG on? you should run this from the Schema Master.....

0
 

Author Comment

by:TNTdynamite
ID: 16981356
oh...I was running from the crapped machine...i'll try again...

there is no switches added just DCDIAG.exe

got a clean run...only errors were failed test in systemlog (printer drivers)
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981452
good stuff, if you clear your log, and run the diag again it will pass

do you have any problems now? just need a refresh
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:TNTdynamite
ID: 16981527
yep, thats fine now

but the AD on other DC <svr2> is still non functional....thats the one I need to sort out.

i appreciate your help...this is really  frustrating me
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981600
still not functional.......if you run dcdiag on that server, what do you get?
0
 

Author Comment

by:TNTdynamite
ID: 16981643
LDAP Connection failed with error 58
the specified server cannot perform the requested operation
the machine <svr2> could not be contacted because of a bad net response
Check to make sure that this machine is a domain controller.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981682
ouch, delete any DNS records for this server and recreate them, does the server show up in sites and services ok?
0
 

Author Comment

by:TNTdynamite
ID: 16981733
the DNS "Service" is not runnning as it points to an internal DNS.

It doesn't show up on its own "sites and services" but on the other DC it  does (but has no NTDS settings)

I have tried dcpromo...won't let me.


0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981831
hmmm! let me see if i understand correct....DNS isnt running on your server? it should be, your DC should be a DNS server in my opinion

to be honest, if this is giving you that much greif i would be doing the following

backup any user data
dcpromo /forceremoval   - that will force removal of AD
usually you would then seize roles but you have this sorted out already
run the metadatacleanup again to clear out the now dead svr2
format the box and promote it as an additional DC once again

this is drastic but the emount of time you will save doing this Vs Troubleshooting each small error, makes it worthwhile
0
 

Author Comment

by:TNTdynamite
ID: 16982085
ok hang on....

I have a really good working DC <exchange>, then I have this other piece if rubbish...<SVR2>

Everyone can talk to <SVR2> but it cannot see anything on the network (can't browse, can't surf, can only TCP/IP stuff)

<exchange> is the DNS for the network,

So, can I just run the dcpromo /forceremoval on <svr2> promote it back to a member. reboot it, clean up on the primary DC (sites and services and users and domains)

restart <svr2> then do promote it back into the domain?

I really don't want to format it....:-(


Will that work?


0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16982348
it will work yes, you will need to run your cleanup on the svr2 as well to clean it completely, but yep, you can take that route
0
 

Author Comment

by:TNTdynamite
ID: 17005799
Jay Jay,

Guess what, it worked! That has made my life so much easier.
Did the forced removal, cleaned the metadata, ran the adsiedit removed the old DC form all locs re-booted then ran dcpromo, rejoined the domain and all came up great!

Thankyou, thankyou, thankyou!

(I have had 3 "specialists" out to try and fix it and in the end thay all said format and start again)

glad we got around it!

Cheers
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 17005849
ha always a way around things my friend, sometimes it just takes some time

glad all works well for you, back in sydney and the real working world now :(       no more Qld holidaying
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Resolve DNS query failed errors for Exchange
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now