TNTdynamite
asked on
Failed Domain Controller
I had a file server <svr2> (not a DC). It died.
I restored the files onto another PC, renamed it as the old server and plugged it into the newtork (so people could still access the files).
I built a new server W2K, copied all the files to this and put it on the network.
Removed the "temp" files server off the network and renamed it back.
I then made the new file server an additional DC.
All working fine...for a while.....
Then from that server, I cannot browse the network, web or anything....everyone however can see the server.
When I add a new user to AD on the PDC (exchange) those new users cannot see the file server (only existing users from AD)
I can ping everything so presume its a DNS issue. But I have looked and looked and looked for answers to fix it and end up chasing my tail....
I have done a netdiag and the output failures are below.
__________________________
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to svr2.mydomain.com.au (1.1.1.1). [ERROR_OUTOFMEMORY]
Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'MYDOMAIN' is broken. [ERROR_NO_TRUST_SAM_ACCOUN
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'svr4.mydomain.com.au'.
[FATAL] Cannot open an LDAP session to 'svr2.mydomain.com.au' at '1.1.1.1'.
[WARNING] Failed to query SPN registration on DC 'mydomain.afcgroup.com.au'
[WARNING] Failed to query SPN registration on DC 'exchange.mydomain.com.au'
__________________________
I am thinking two things...is this really a problem with <svr2> or with the PDC <exchange>. i.e does the PDC have corrupt records from the name changes?
Also when I try to add any more DC's they cannot connect to <svr2> so DCPROMO fails!
Please Please HELP!
I restored the files onto another PC, renamed it as the old server and plugged it into the newtork (so people could still access the files).
I built a new server W2K, copied all the files to this and put it on the network.
Removed the "temp" files server off the network and renamed it back.
I then made the new file server an additional DC.
All working fine...for a while.....
Then from that server, I cannot browse the network, web or anything....everyone however can see the server.
When I add a new user to AD on the PDC (exchange) those new users cannot see the file server (only existing users from AD)
I can ping everything so presume its a DNS issue. But I have looked and looked and looked for answers to fix it and end up chasing my tail....
I have done a netdiag and the output failures are below.
__________________________
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to svr2.mydomain.com.au (1.1.1.1). [ERROR_OUTOFMEMORY]
Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'MYDOMAIN' is broken. [ERROR_NO_TRUST_SAM_ACCOUN
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'svr4.mydomain.com.au'.
[FATAL] Cannot open an LDAP session to 'svr2.mydomain.com.au' at '1.1.1.1'.
[WARNING] Failed to query SPN registration on DC 'mydomain.afcgroup.com.au'
[WARNING] Failed to query SPN registration on DC 'exchange.mydomain.com.au'
__________________________
I am thinking two things...is this really a problem with <svr2> or with the PDC <exchange>. i.e does the PDC have corrupt records from the name changes?
Also when I try to add any more DC's they cannot connect to <svr2> so DCPROMO fails!
Please Please HELP!
ASKER
Thanks...so...
How do I know which FSMO roles SVR2 did if I want to sieze them back?
Which server should I perform this on?
What will it do to user access during this sieze?
All the others are working fine so I don't want to kill the PDC
When I try to do a metadata cleanup on the PDC...the DC is not listed. If I got to domain controllers in "AD Users & Computers" it is listed but has no NTFRS record.
How do I know which FSMO roles SVR2 did if I want to sieze them back?
Which server should I perform this on?
What will it do to user access during this sieze?
All the others are working fine so I don't want to kill the PDC
When I try to do a metadata cleanup on the PDC...the DC is not listed. If I got to domain controllers in "AD Users & Computers" it is listed but has no NTFRS record.
this will show you how to view the roles
http://support.microsoft.com/default.aspx?scid=kb;en-us;255690
you need to seize the roles on your now existing DC
it won't do anything to your user access
once you have seized the roles try ntdsutil again and see what happens
http://support.microsoft.com/default.aspx?scid=kb;en-us;255690
you need to seize the roles on your now existing DC
it won't do anything to your user access
once you have seized the roles try ntdsutil again and see what happens
ASKER
I have done this...all roles point to the PDC (already) I didn't have to change any.
The only thing is with the schema is there was an error (The current FSMO holder could not be contacted...operation could not be performed)
When I do ntdsutil do I "connect" to the working PDC or the SVR2 (the one with the problem)?
i.e which one do I "connect to" to seize from? if that makes sense?
Should I only be seizing the Schema?
It says this at the bottom of the ntsdutil instructions...
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
How do I know which is my GC server? I bacically run all services from the PDC.
The only thing is with the schema is there was an error (The current FSMO holder could not be contacted...operation could not be performed)
When I do ntdsutil do I "connect" to the working PDC or the SVR2 (the one with the problem)?
i.e which one do I "connect to" to seize from? if that makes sense?
Should I only be seizing the Schema?
It says this at the bottom of the ntsdutil instructions...
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
How do I know which is my GC server? I bacically run all services from the PDC.
looks like you need to seize the schema role then, dont stress about that message below regarding the IF master, that is for multi levelled domains......
GC is found under sites and services, server - ntds settings - properties, you can see if your machine is a GC there, if it isnt, just tick the box....
you want to be connecting to the existing DC,
there is no such thing as a PDC and BDC with 2000 onwards, they are all equal machines
GC is found under sites and services, server - ntds settings - properties, you can see if your machine is a GC there, if it isnt, just tick the box....
you want to be connecting to the existing DC,
there is no such thing as a PDC and BDC with 2000 onwards, they are all equal machines
oh hang on a sec, i just read this Q again, your server in question wasn't a DC! lol!
when you get that shema master back up, run dcdiag for me again and we go from there lol i feel like a tool
when you get that shema master back up, run dcdiag for me again and we go from there lol i feel like a tool
ASKER
my main DC is the GC and also the IF master (but you recon that doesn't matter so thats cool)
I have 3 x DC's in Melb (one is the SVR2 crap one), one in Syd and one in Bris.
ran DCDIAG and got...
LDAP bind failed with error 31
A device attached to the system is not functioning
I have 3 x DC's in Melb (one is the SVR2 crap one), one in Syd and one in Bris.
ran DCDIAG and got...
LDAP bind failed with error 31
A device attached to the system is not functioning
Hey an Aussie boy! i live in Sydney but am in Brisbane at the moment
which DC are you running the DCDIAG on? you should run this from the Schema Master.....
which DC are you running the DCDIAG on? you should run this from the Schema Master.....
ASKER
oh...I was running from the crapped machine...i'll try again...
there is no switches added just DCDIAG.exe
got a clean run...only errors were failed test in systemlog (printer drivers)
there is no switches added just DCDIAG.exe
got a clean run...only errors were failed test in systemlog (printer drivers)
good stuff, if you clear your log, and run the diag again it will pass
do you have any problems now? just need a refresh
do you have any problems now? just need a refresh
ASKER
yep, thats fine now
but the AD on other DC <svr2> is still non functional....thats the one I need to sort out.
i appreciate your help...this is really frustrating me
but the AD on other DC <svr2> is still non functional....thats the one I need to sort out.
i appreciate your help...this is really frustrating me
still not functional.......if you run dcdiag on that server, what do you get?
ASKER
LDAP Connection failed with error 58
the specified server cannot perform the requested operation
the machine <svr2> could not be contacted because of a bad net response
Check to make sure that this machine is a domain controller.
the specified server cannot perform the requested operation
the machine <svr2> could not be contacted because of a bad net response
Check to make sure that this machine is a domain controller.
ouch, delete any DNS records for this server and recreate them, does the server show up in sites and services ok?
ASKER
the DNS "Service" is not runnning as it points to an internal DNS.
It doesn't show up on its own "sites and services" but on the other DC it does (but has no NTDS settings)
I have tried dcpromo...won't let me.
It doesn't show up on its own "sites and services" but on the other DC it does (but has no NTDS settings)
I have tried dcpromo...won't let me.
hmmm! let me see if i understand correct....DNS isnt running on your server? it should be, your DC should be a DNS server in my opinion
to be honest, if this is giving you that much greif i would be doing the following
backup any user data
dcpromo /forceremoval - that will force removal of AD
usually you would then seize roles but you have this sorted out already
run the metadatacleanup again to clear out the now dead svr2
format the box and promote it as an additional DC once again
this is drastic but the emount of time you will save doing this Vs Troubleshooting each small error, makes it worthwhile
to be honest, if this is giving you that much greif i would be doing the following
backup any user data
dcpromo /forceremoval - that will force removal of AD
usually you would then seize roles but you have this sorted out already
run the metadatacleanup again to clear out the now dead svr2
format the box and promote it as an additional DC once again
this is drastic but the emount of time you will save doing this Vs Troubleshooting each small error, makes it worthwhile
ASKER
ok hang on....
I have a really good working DC <exchange>, then I have this other piece if rubbish...<SVR2>
Everyone can talk to <SVR2> but it cannot see anything on the network (can't browse, can't surf, can only TCP/IP stuff)
<exchange> is the DNS for the network,
So, can I just run the dcpromo /forceremoval on <svr2> promote it back to a member. reboot it, clean up on the primary DC (sites and services and users and domains)
restart <svr2> then do promote it back into the domain?
I really don't want to format it....:-(
Will that work?
I have a really good working DC <exchange>, then I have this other piece if rubbish...<SVR2>
Everyone can talk to <SVR2> but it cannot see anything on the network (can't browse, can't surf, can only TCP/IP stuff)
<exchange> is the DNS for the network,
So, can I just run the dcpromo /forceremoval on <svr2> promote it back to a member. reboot it, clean up on the primary DC (sites and services and users and domains)
restart <svr2> then do promote it back into the domain?
I really don't want to format it....:-(
Will that work?
it will work yes, you will need to run your cleanup on the svr2 as well to clean it completely, but yep, you can take that route
ASKER
Jay Jay,
Guess what, it worked! That has made my life so much easier.
Did the forced removal, cleaned the metadata, ran the adsiedit removed the old DC form all locs re-booted then ran dcpromo, rejoined the domain and all came up great!
Thankyou, thankyou, thankyou!
(I have had 3 "specialists" out to try and fix it and in the end thay all said format and start again)
glad we got around it!
Cheers
Guess what, it worked! That has made my life so much easier.
Did the forced removal, cleaned the metadata, ran the adsiedit removed the old DC form all locs re-booted then ran dcpromo, rejoined the domain and all came up great!
Thankyou, thankyou, thankyou!
(I have had 3 "specialists" out to try and fix it and in the end thay all said format and start again)
glad we got around it!
Cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.petri.co.il/seizing_fsmo_roles.htm
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
you will also need to recreate your host record for the server and manually delete the old record from AD sites and Services