Windows 2003 server. Cannot access domain!

Windows 2003 server. I recently restored Active Directory and now when I try to log on from a workstation, it says that the domain is not available. I can log onto to the domain server locally, however.

Tried the usual reboots but no avail.

Any suggestions?
LVL 11
Jason210Asked:
Who is Participating?
 
RightNLConnect With a Mentor Commented:
make the pc member of a workgroup and reboot .. than make the pc member of the domain again..

0
 
Netman66Connect With a Mentor Commented:
How old was the restore?  If you're longer than 60 days, you're outside the Tombstone life.

0
 
RightNLCommented:
and the solution is to exit the domain and join again ;o)
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Jason210Author Commented:
Yes it was older than 60 days - just a few more days so.

So I have to do that for ALL the workstations?
0
 
Netman66Commented:
Well, restoring after tombstone is a risky proposition.  Everything from day 60+ is gone.

Quote:

Age

A backup that is older than the tombstone lifetime set in Active Directory is not a good backup. At a minimum, perform at least two backups within the tombstone lifetime. The default tombstone lifetime is 60 days. Active Directory incorporates the tombstone lifetime into the backup and restore process as a means of protecting itself from inconsistent data.

Deleting an object from Active Directory is a two-step process. When an object is deleted in Active Directory, the object gets converted into a tombstone, which is then replicated to the other domain controllers in the environment to inform them of the deletion. Active Directory purges the tombstone when the tombstone lifetime is reached.

If you restore a domain controller to a state prior to the deletion of an object, and the tombstone for that object is not replicated to the restored domain controller before the tombstone expires, the object remains present only on the restored domain controller, resulting in inconsistent data. Thus, you must restore the domain controller prior to expiration of the tombstone, and allow inbound replication from a domain controller containing the tombstone to complete prior to expiration of the tombstone.

Active Directory protects itself from restoring data older than the tombstone lifetime by disallowing the restore. As a result, the useful life of a backup is equivalent to the tombstone lifetime setting for the enterprise.

:End Quote

Reference: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd03.mspx

Rejoining workstations to the domain is likely a small portion of the issues you're going to see.

0
 
RightNLCommented:
yup.. you will have to do that for all computers ..

if the restore was older than 60 days you will also get issues with passwords expired.. group memberships, new users that are unknown. etc etc.

0
 
Jason210Author Commented:
Actually I didn't use a restore - I used a mirrored hard drive - so once the workstations are clean out and rehoind, tombstone shouldn't be an issue, right?
0
 
Netman66Commented:
Whatever method you used, the AD is out of date.

Once you rejoin the workstations, you'll have to also reset all the user passwords that are NOT set to never expire.

Then we'll see what else is broken.
0
 
Jason210Author Commented:
I don't follow. What determines that the AD is out of date? If the hard drive with the entire windows installation on, including system files and AD, was mirrored, then as far as I can see, emptying the profiles and rejoining the workstations could work

How about temporarily putting back the date on all the machines?
0
 
Netman66Commented:
Timestamps on all objects compared with current time and date is what determines currentness.

Once you've booted into the server the current time and date are written in the directory so rolling back the clocks will just create more issues.

You stated this mirror is more than 60 days old.  If the mirror was current (as in the day the primary drive failed) then there should be no issue if you boot from it.

0
 
Jason210Author Commented:
>If the mirror was current (as in the day the primary drive failed) then there should be no issue if you boot from it.

Sorry, can you explain this? Don't follow...
0
 
Netman66Commented:
Mirrored drives are normally both installed in the server - one drive is primary and the other is a mirror.  Is this what you mean by mirrored drive?

0
 
Jason210Author Commented:
We use dynamic drives (yeah I know sux) that mirror each other. So I guess one is a mirror and another primary but if the primary fails the mirror will boot, and the boot.ini is modified automatically. I happened to have a disk containing either a mirror or primary that was about 3 months old, and it was easier to try this, update the file server from a recent back up, rather reinstall the whole operating system.

I'm a bit worried about this AD problems I might be faced with, but am prepared to spend a few days to fix them, if fixing them is feasible. Thanks for your help so far - it's been most useful.

0
 
Netman66Commented:
If you have a recent backup why aren't you using that?

0
 
Jason210Author Commented:
It was just a manual backup of the contents of the file server.
0
 
RightNLCommented:
if you can I would do a windows repair on the bootless disk so it creates a boot section on the disk this way your ad is newer.

0
 
Jason210Author Commented:
>if you can I would do a windows repair on the bootless disk so
>it creates a boot section on the disk this way your ad is newer.

Unfortunately, the drive letter changed on the bootless disk. I moved the boot sector manually, and then found I couldn't log on. Nor could I log on to do a windows repair. I still have the disk and if I could log on to it I could repair it. Anyway, I'm using the earlier back up. Some people came in to the office today and were able to log on without any problems. I have not experienced any password problems. It seems only my laptop was affected so far.
0
 
RightNLCommented:
use a windows cd ... boot from the cd and tell it to install. I should find the current installation (independed on the drive letter) than choose repair.

 
0
 
Jason210Author Commented:
In order to carry out a repair as you suggest, I need to log on via the windows CD in the command screen. I cannot log on. This was the whole problem!!!
0
 
Jason210Author Commented:
Anyway - I've decided to go with the old AD option and fix the isues that arise - that is if they are all fixable. We don't have the possibility now to have the server offline except for short periods now and again. I personally have some time (a few days) to fix any problems that may arise out of this.

What I would really appreciate is a worse case scenario with this type of operation.
0
 
cj_1969Connect With a Mentor Commented:
Is this your only domain controller?  If not, then you might have some initial issues with it but it should refresh all of its information from the other domain controller(s) ... once up-to-date it should be fine.  You might have to tweak and force the replication to get things in sync again as AD does not like to replicate data that is too old.
Another thought ... if this is a "secondary" domain controller ... just remove AD and make it a member server and then promote it back to AD ... this will clear AD and then let it sync fresh with the other controller(s).

If this is your only domain controller ... oh well, some data will be out of date such as passwords and account information but that should be minor ... as you stated, just deal withthose as they arrive.

For computer accounts ... just remove the domain settings from the workstation and then add it back into the domain ... BACK UP the user profiles first or you'll likely lose any info they have in their my documents, their desktop and application settings.

For user accounts ... you probably don't have users resetting their passwords at all and if you do not that often ... password resets should be minimal and a simple change ... worse case, you change it to something generic and set it for the user to change it at next log in and they can set it back to what they have been using.

Any data stored on the server is lost but if you have backup you can restore individual files from the backups ... easier than restoring the server  :)

Chances are thats it.

let us know if youhave any other problems and we can address them as they come up ... I think they will be minimal if any.
0
 
Jason210Author Commented:
>let us know if youhave any other problems and we can address them as they come up

Thanks!!
0
 
cj_1969Commented:
How's it going?  Any problems since the restore?
If not, can you please close this questions so that we know you are up and working  :)
0
 
Jason210Author Commented:
Ok, only one problem noticed so far. Some Group policies aren't working.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.