Failed Domain Controller

I had a file server <svr2> (not a DC). It died.
I restored the files onto another PC, renamed it as the old server and plugged it into the newtork (so people could still access the files).
I built a new server W2K, copied all the files to this and put it on the network.
Removed the "temp" files server off the network and renamed it back.

I then made the new file server an additional DC.

All working fine...for a while.....

Then from that server, I cannot browse the network, web or anything....everyone however can see the server.
When I add a new user to AD on the PDC (exchange) those new users cannot see the file server (only existing users from AD)

I can ping everything so presume its a DNS issue. But I have looked and looked and looked for answers to fix it and end up chasing my tail....

I have done a netdiag and the output failures are below.


DC list test . . . . . . . . . . . : Failed
    [WARNING] Cannot call DsBind to ( [ERROR_OUTOFMEMORY]

Trust relationship test. . . . . . : Failed
    [FATAL] Secure channel to domain 'MYDOMAIN' is broken. [ERROR_NO_TRUST_SAM_ACCOUNT]

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] Failed to query SPN registration on DC ''.
    [FATAL] Cannot open an LDAP session to '' at ''.
    [WARNING] Failed to query SPN registration on DC ''.
    [WARNING] Failed to query SPN registration on DC ''.

I am thinking two this really a problem with <svr2> or with the PDC <exchange>. i.e does the PDC have corrupt records from the name changes?

Also when I try to add any more DC's they cannot connect to <svr2> so DCPROMO fails!

Please Please HELP!

Who is Participating?
ha always a way around things my friend, sometimes it just takes some time

glad all works well for you, back in sydney and the real working world now :(       no more Qld holidaying
you cannot just remove a DC that has failed, you need to seize the roles and perform a metada cleanup

you will also need to recreate your host record for the server and manually delete the old record from AD sites and Services
TNTdynamiteAuthor Commented:
How do I know which FSMO roles SVR2 did if I want to sieze them back?
Which server should I perform this on?
What will it do to user access during this sieze?
All the others are working fine so I don't want to kill the PDC

When I try to do a metadata cleanup on the PDC...the DC is not listed. If I got to domain controllers in "AD Users & Computers" it is listed but has no NTFRS record.
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

this will show you how to view the roles;en-us;255690

you need to seize the roles on your now existing DC

it won't do anything to your user access

once you have seized the roles try ntdsutil again and see what happens
TNTdynamiteAuthor Commented:
I have done this...all roles point to the PDC (already) I didn't have to change any.
The only thing is with the schema is there was an error (The current FSMO holder could not be contacted...operation could not be performed)

When I do ntdsutil do I "connect" to the working PDC or the SVR2 (the one with the problem)?
i.e which one do I "connect to" to seize from? if that makes sense?

Should I only be seizing the Schema?

It says this at the bottom of the ntsdutil instructions...

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

How do I know which is my GC server? I bacically run all services from the PDC.

looks like you need to seize the schema role then, dont stress about that message below regarding the IF master, that is for multi levelled domains......

GC is found under sites and services, server - ntds settings - properties, you can see if your machine is a GC there, if it isnt, just tick the box....

you want to be connecting to the existing DC,

there is no such thing as a PDC and BDC with 2000 onwards, they are all equal machines
oh hang on a sec, i just read this Q again, your server in question wasn't a DC! lol!

when you get that shema master back up, run dcdiag for me again and we go from there  lol i feel like a tool
TNTdynamiteAuthor Commented:
my main DC is the GC and also the IF master (but you recon that doesn't matter so thats cool)

I have 3 x DC's in Melb (one is the SVR2 crap one), one in Syd and one in Bris.

ran DCDIAG and got...

LDAP bind failed with error 31
A device attached to the system is not functioning

Hey an Aussie boy! i live in Sydney but am in Brisbane at the moment

which DC are you running the DCDIAG on? you should run this from the Schema Master.....

TNTdynamiteAuthor Commented:
oh...I was running from the crapped machine...i'll try again...

there is no switches added just DCDIAG.exe

got a clean run...only errors were failed test in systemlog (printer drivers)
good stuff, if you clear your log, and run the diag again it will pass

do you have any problems now? just need a refresh
TNTdynamiteAuthor Commented:
yep, thats fine now

but the AD on other DC <svr2> is still non functional....thats the one I need to sort out.

i appreciate your help...this is really  frustrating me
still not functional.......if you run dcdiag on that server, what do you get?
TNTdynamiteAuthor Commented:
LDAP Connection failed with error 58
the specified server cannot perform the requested operation
the machine <svr2> could not be contacted because of a bad net response
Check to make sure that this machine is a domain controller.
ouch, delete any DNS records for this server and recreate them, does the server show up in sites and services ok?
TNTdynamiteAuthor Commented:
the DNS "Service" is not runnning as it points to an internal DNS.

It doesn't show up on its own "sites and services" but on the other DC it  does (but has no NTDS settings)

I have tried dcpromo...won't let me.

hmmm! let me see if i understand correct....DNS isnt running on your server? it should be, your DC should be a DNS server in my opinion

to be honest, if this is giving you that much greif i would be doing the following

backup any user data
dcpromo /forceremoval   - that will force removal of AD
usually you would then seize roles but you have this sorted out already
run the metadatacleanup again to clear out the now dead svr2
format the box and promote it as an additional DC once again

this is drastic but the emount of time you will save doing this Vs Troubleshooting each small error, makes it worthwhile
TNTdynamiteAuthor Commented:
ok hang on....

I have a really good working DC <exchange>, then I have this other piece if rubbish...<SVR2>

Everyone can talk to <SVR2> but it cannot see anything on the network (can't browse, can't surf, can only TCP/IP stuff)

<exchange> is the DNS for the network,

So, can I just run the dcpromo /forceremoval on <svr2> promote it back to a member. reboot it, clean up on the primary DC (sites and services and users and domains)

restart <svr2> then do promote it back into the domain?

I really don't want to format it....:-(

Will that work?

it will work yes, you will need to run your cleanup on the svr2 as well to clean it completely, but yep, you can take that route
TNTdynamiteAuthor Commented:
Jay Jay,

Guess what, it worked! That has made my life so much easier.
Did the forced removal, cleaned the metadata, ran the adsiedit removed the old DC form all locs re-booted then ran dcpromo, rejoined the domain and all came up great!

Thankyou, thankyou, thankyou!

(I have had 3 "specialists" out to try and fix it and in the end thay all said format and start again)

glad we got around it!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.