Solved

Failed Domain Controller

Posted on 2006-06-25
20
528 Views
Last Modified: 2010-08-05
I had a file server <svr2> (not a DC). It died.
I restored the files onto another PC, renamed it as the old server and plugged it into the newtork (so people could still access the files).
I built a new server W2K, copied all the files to this and put it on the network.
Removed the "temp" files server off the network and renamed it back.

I then made the new file server an additional DC.

All working fine...for a while.....

Then from that server, I cannot browse the network, web or anything....everyone however can see the server.
When I add a new user to AD on the PDC (exchange) those new users cannot see the file server (only existing users from AD)

I can ping everything so presume its a DNS issue. But I have looked and looked and looked for answers to fix it and end up chasing my tail....

I have done a netdiag and the output failures are below.

_____________________________________________________________

DC list test . . . . . . . . . . . : Failed
    [WARNING] Cannot call DsBind to svr2.mydomain.com.au (1.1.1.1). [ERROR_OUTOFMEMORY]


Trust relationship test. . . . . . : Failed
    [FATAL] Secure channel to domain 'MYDOMAIN' is broken. [ERROR_NO_TRUST_SAM_ACCOUNT]


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] Failed to query SPN registration on DC 'svr4.mydomain.com.au'.
    [FATAL] Cannot open an LDAP session to 'svr2.mydomain.com.au' at '1.1.1.1'.
    [WARNING] Failed to query SPN registration on DC 'mydomain.afcgroup.com.au'.
    [WARNING] Failed to query SPN registration on DC 'exchange.mydomain.com.au'.

____________________________________________________
I am thinking two things...is this really a problem with <svr2> or with the PDC <exchange>. i.e does the PDC have corrupt records from the name changes?

Also when I try to add any more DC's they cannot connect to <svr2> so DCPROMO fails!

Please Please HELP!


0
Comment
Question by:TNTdynamite
  • 11
  • 9
20 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16980935
you cannot just remove a DC that has failed, you need to seize the roles and perform a metada cleanup

http://www.petri.co.il/seizing_fsmo_roles.htm

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

you will also need to recreate your host record for the server and manually delete the old record from AD sites and Services
0
 

Author Comment

by:TNTdynamite
ID: 16981025
Thanks...so...
How do I know which FSMO roles SVR2 did if I want to sieze them back?
Which server should I perform this on?
What will it do to user access during this sieze?
All the others are working fine so I don't want to kill the PDC

When I try to do a metadata cleanup on the PDC...the DC is not listed. If I got to domain controllers in "AD Users & Computers" it is listed but has no NTFRS record.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981033
this will show you how to view the roles
http://support.microsoft.com/default.aspx?scid=kb;en-us;255690

you need to seize the roles on your now existing DC

it won't do anything to your user access

once you have seized the roles try ntdsutil again and see what happens
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:TNTdynamite
ID: 16981241
I have done this...all roles point to the PDC (already) I didn't have to change any.
The only thing is with the schema is there was an error (The current FSMO holder could not be contacted...operation could not be performed)

When I do ntdsutil do I "connect" to the working PDC or the SVR2 (the one with the problem)?
i.e which one do I "connect to" to seize from? if that makes sense?

Should I only be seizing the Schema?

It says this at the bottom of the ntsdutil instructions...

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

How do I know which is my GC server? I bacically run all services from the PDC.




0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981282
looks like you need to seize the schema role then, dont stress about that message below regarding the IF master, that is for multi levelled domains......

GC is found under sites and services, server - ntds settings - properties, you can see if your machine is a GC there, if it isnt, just tick the box....

you want to be connecting to the existing DC,

there is no such thing as a PDC and BDC with 2000 onwards, they are all equal machines
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981287
oh hang on a sec, i just read this Q again, your server in question wasn't a DC! lol!

when you get that shema master back up, run dcdiag for me again and we go from there  lol i feel like a tool
0
 

Author Comment

by:TNTdynamite
ID: 16981318
my main DC is the GC and also the IF master (but you recon that doesn't matter so thats cool)

I have 3 x DC's in Melb (one is the SVR2 crap one), one in Syd and one in Bris.

ran DCDIAG and got...

LDAP bind failed with error 31
A device attached to the system is not functioning

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981332
Hey an Aussie boy! i live in Sydney but am in Brisbane at the moment

which DC are you running the DCDIAG on? you should run this from the Schema Master.....

0
 

Author Comment

by:TNTdynamite
ID: 16981356
oh...I was running from the crapped machine...i'll try again...

there is no switches added just DCDIAG.exe

got a clean run...only errors were failed test in systemlog (printer drivers)
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981452
good stuff, if you clear your log, and run the diag again it will pass

do you have any problems now? just need a refresh
0
 

Author Comment

by:TNTdynamite
ID: 16981527
yep, thats fine now

but the AD on other DC <svr2> is still non functional....thats the one I need to sort out.

i appreciate your help...this is really  frustrating me
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981600
still not functional.......if you run dcdiag on that server, what do you get?
0
 

Author Comment

by:TNTdynamite
ID: 16981643
LDAP Connection failed with error 58
the specified server cannot perform the requested operation
the machine <svr2> could not be contacted because of a bad net response
Check to make sure that this machine is a domain controller.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981682
ouch, delete any DNS records for this server and recreate them, does the server show up in sites and services ok?
0
 

Author Comment

by:TNTdynamite
ID: 16981733
the DNS "Service" is not runnning as it points to an internal DNS.

It doesn't show up on its own "sites and services" but on the other DC it  does (but has no NTDS settings)

I have tried dcpromo...won't let me.


0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16981831
hmmm! let me see if i understand correct....DNS isnt running on your server? it should be, your DC should be a DNS server in my opinion

to be honest, if this is giving you that much greif i would be doing the following

backup any user data
dcpromo /forceremoval   - that will force removal of AD
usually you would then seize roles but you have this sorted out already
run the metadatacleanup again to clear out the now dead svr2
format the box and promote it as an additional DC once again

this is drastic but the emount of time you will save doing this Vs Troubleshooting each small error, makes it worthwhile
0
 

Author Comment

by:TNTdynamite
ID: 16982085
ok hang on....

I have a really good working DC <exchange>, then I have this other piece if rubbish...<SVR2>

Everyone can talk to <SVR2> but it cannot see anything on the network (can't browse, can't surf, can only TCP/IP stuff)

<exchange> is the DNS for the network,

So, can I just run the dcpromo /forceremoval on <svr2> promote it back to a member. reboot it, clean up on the primary DC (sites and services and users and domains)

restart <svr2> then do promote it back into the domain?

I really don't want to format it....:-(


Will that work?


0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16982348
it will work yes, you will need to run your cleanup on the svr2 as well to clean it completely, but yep, you can take that route
0
 

Author Comment

by:TNTdynamite
ID: 17005799
Jay Jay,

Guess what, it worked! That has made my life so much easier.
Did the forced removal, cleaned the metadata, ran the adsiedit removed the old DC form all locs re-booted then ran dcpromo, rejoined the domain and all came up great!

Thankyou, thankyou, thankyou!

(I have had 3 "specialists" out to try and fix it and in the end thay all said format and start again)

glad we got around it!

Cheers
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 17005849
ha always a way around things my friend, sometimes it just takes some time

glad all works well for you, back in sydney and the real working world now :(       no more Qld holidaying
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question