[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Windows 2003 server. Cannot access domain!

Posted on 2007-08-08
24
Medium Priority
?
206 Views
Last Modified: 2010-08-05
Windows 2003 server. I recently restored Active Directory and now when I try to log on from a workstation, it says that the domain is not available. I can log onto to the domain server locally, however.

Tried the usual reboots but no avail.

Any suggestions?
0
Comment
Question by:Jason210
  • 11
  • 6
  • 5
  • +1
24 Comments
 
LVL 5

Accepted Solution

by:
RightNL earned 1400 total points
ID: 19653173
make the pc member of a workgroup and reboot .. than make the pc member of the domain again..

0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 200 total points
ID: 19653383
How old was the restore?  If you're longer than 60 days, you're outside the Tombstone life.

0
 
LVL 5

Expert Comment

by:RightNL
ID: 19653528
and the solution is to exit the domain and join again ;o)
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
LVL 11

Author Comment

by:Jason210
ID: 19654131
Yes it was older than 60 days - just a few more days so.

So I have to do that for ALL the workstations?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 19654224
Well, restoring after tombstone is a risky proposition.  Everything from day 60+ is gone.

Quote:

Age

A backup that is older than the tombstone lifetime set in Active Directory is not a good backup. At a minimum, perform at least two backups within the tombstone lifetime. The default tombstone lifetime is 60 days. Active Directory incorporates the tombstone lifetime into the backup and restore process as a means of protecting itself from inconsistent data.

Deleting an object from Active Directory is a two-step process. When an object is deleted in Active Directory, the object gets converted into a tombstone, which is then replicated to the other domain controllers in the environment to inform them of the deletion. Active Directory purges the tombstone when the tombstone lifetime is reached.

If you restore a domain controller to a state prior to the deletion of an object, and the tombstone for that object is not replicated to the restored domain controller before the tombstone expires, the object remains present only on the restored domain controller, resulting in inconsistent data. Thus, you must restore the domain controller prior to expiration of the tombstone, and allow inbound replication from a domain controller containing the tombstone to complete prior to expiration of the tombstone.

Active Directory protects itself from restoring data older than the tombstone lifetime by disallowing the restore. As a result, the useful life of a backup is equivalent to the tombstone lifetime setting for the enterprise.

:End Quote

Reference: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd03.mspx

Rejoining workstations to the domain is likely a small portion of the issues you're going to see.

0
 
LVL 5

Expert Comment

by:RightNL
ID: 19654272
yup.. you will have to do that for all computers ..

if the restore was older than 60 days you will also get issues with passwords expired.. group memberships, new users that are unknown. etc etc.

0
 
LVL 11

Author Comment

by:Jason210
ID: 19657158
Actually I didn't use a restore - I used a mirrored hard drive - so once the workstations are clean out and rehoind, tombstone shouldn't be an issue, right?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 19658504
Whatever method you used, the AD is out of date.

Once you rejoin the workstations, you'll have to also reset all the user passwords that are NOT set to never expire.

Then we'll see what else is broken.
0
 
LVL 11

Author Comment

by:Jason210
ID: 19658541
I don't follow. What determines that the AD is out of date? If the hard drive with the entire windows installation on, including system files and AD, was mirrored, then as far as I can see, emptying the profiles and rejoining the workstations could work

How about temporarily putting back the date on all the machines?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 19658735
Timestamps on all objects compared with current time and date is what determines currentness.

Once you've booted into the server the current time and date are written in the directory so rolling back the clocks will just create more issues.

You stated this mirror is more than 60 days old.  If the mirror was current (as in the day the primary drive failed) then there should be no issue if you boot from it.

0
 
LVL 11

Author Comment

by:Jason210
ID: 19658783
>If the mirror was current (as in the day the primary drive failed) then there should be no issue if you boot from it.

Sorry, can you explain this? Don't follow...
0
 
LVL 51

Expert Comment

by:Netman66
ID: 19658909
Mirrored drives are normally both installed in the server - one drive is primary and the other is a mirror.  Is this what you mean by mirrored drive?

0
 
LVL 11

Author Comment

by:Jason210
ID: 19658969
We use dynamic drives (yeah I know sux) that mirror each other. So I guess one is a mirror and another primary but if the primary fails the mirror will boot, and the boot.ini is modified automatically. I happened to have a disk containing either a mirror or primary that was about 3 months old, and it was easier to try this, update the file server from a recent back up, rather reinstall the whole operating system.

I'm a bit worried about this AD problems I might be faced with, but am prepared to spend a few days to fix them, if fixing them is feasible. Thanks for your help so far - it's been most useful.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 19659019
If you have a recent backup why aren't you using that?

0
 
LVL 11

Author Comment

by:Jason210
ID: 19659028
It was just a manual backup of the contents of the file server.
0
 
LVL 5

Expert Comment

by:RightNL
ID: 19660595
if you can I would do a windows repair on the bootless disk so it creates a boot section on the disk this way your ad is newer.

0
 
LVL 11

Author Comment

by:Jason210
ID: 19660626
>if you can I would do a windows repair on the bootless disk so
>it creates a boot section on the disk this way your ad is newer.

Unfortunately, the drive letter changed on the bootless disk. I moved the boot sector manually, and then found I couldn't log on. Nor could I log on to do a windows repair. I still have the disk and if I could log on to it I could repair it. Anyway, I'm using the earlier back up. Some people came in to the office today and were able to log on without any problems. I have not experienced any password problems. It seems only my laptop was affected so far.
0
 
LVL 5

Expert Comment

by:RightNL
ID: 19660668
use a windows cd ... boot from the cd and tell it to install. I should find the current installation (independed on the drive letter) than choose repair.

 
0
 
LVL 11

Author Comment

by:Jason210
ID: 19660787
In order to carry out a repair as you suggest, I need to log on via the windows CD in the command screen. I cannot log on. This was the whole problem!!!
0
 
LVL 11

Author Comment

by:Jason210
ID: 19660820
Anyway - I've decided to go with the old AD option and fix the isues that arise - that is if they are all fixable. We don't have the possibility now to have the server offline except for short periods now and again. I personally have some time (a few days) to fix any problems that may arise out of this.

What I would really appreciate is a worse case scenario with this type of operation.
0
 
LVL 22

Assisted Solution

by:cj_1969
cj_1969 earned 400 total points
ID: 19661259
Is this your only domain controller?  If not, then you might have some initial issues with it but it should refresh all of its information from the other domain controller(s) ... once up-to-date it should be fine.  You might have to tweak and force the replication to get things in sync again as AD does not like to replicate data that is too old.
Another thought ... if this is a "secondary" domain controller ... just remove AD and make it a member server and then promote it back to AD ... this will clear AD and then let it sync fresh with the other controller(s).

If this is your only domain controller ... oh well, some data will be out of date such as passwords and account information but that should be minor ... as you stated, just deal withthose as they arrive.

For computer accounts ... just remove the domain settings from the workstation and then add it back into the domain ... BACK UP the user profiles first or you'll likely lose any info they have in their my documents, their desktop and application settings.

For user accounts ... you probably don't have users resetting their passwords at all and if you do not that often ... password resets should be minimal and a simple change ... worse case, you change it to something generic and set it for the user to change it at next log in and they can set it back to what they have been using.

Any data stored on the server is lost but if you have backup you can restore individual files from the backups ... easier than restoring the server  :)

Chances are thats it.

let us know if youhave any other problems and we can address them as they come up ... I think they will be minimal if any.
0
 
LVL 11

Author Comment

by:Jason210
ID: 19661484
>let us know if youhave any other problems and we can address them as they come up

Thanks!!
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 19707210
How's it going?  Any problems since the restore?
If not, can you please close this questions so that we know you are up and working  :)
0
 
LVL 11

Author Comment

by:Jason210
ID: 20181177
Ok, only one problem noticed so far. Some Group policies aren't working.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question