Solved

Global Catalog Errors.  Demoting the additional domain controller

Posted on 2007-11-23
7
630 Views
Last Modified: 2012-08-13
Hi All,
We have two domain controllers in a hosted environment. One of them Server1 is setup as Primary Domain Controller and the other Server2 is setup as the addtional domain controller.
Everything was working fine until there were some changes done on the PDC with respect to security as recommended by the Penetration-Testing group (a third party company). We now have problems with active directory replication and I can cleary see that any new users created in one of the servers are not being replicated to other. We are getting erros in Server2 relating to finding the PDC.
I tried to run the netdiag /fix and dcdiag /fix commands. The netdiag /fix went through successfully, but the dcdiag /fix reported the problem with finding the global catalog server.

My querry is:
In server2 (Additional Domain Controller) we have setup IIS and is being used for some web applications. We also have the SQL server installed in it. Could someboy please suggest me if I can run the DCPROMO in server2, demote it and then put the Active directory back to make it the Additional domain controller. Also would any of the services like the IIS, database etc be affected in doing so!
or
Do we have any other workaround to fix this issue as the application up-time is very critical to me, because the last thing I want hear from our clients is that the website is down just after two day from its launch date.

Pleae advise......

Thanks,
nvrkakarla.
0
Comment
Question by:nvrkakarla
  • 5
  • 2
7 Comments
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338486
I recommend against doing a DC demotion.  At the moment your DCs are not syncing and there is nothing to suggest they will after a DC demote-promote.  Instead, you may want to make your second DC a global catalog, and then see how you go.

You need to ensure that replication is working.  It sounds like your penetration testers have asked you to do something non-standard.  Were they MS Gold Partners?  Have they blocked ports between your DCs?

No supported configuration allows for DCs to have restricted access to each other.  Kerberos may be failing, or LDAP may not allow access...
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338489
PS.  I always recommend a minimum of 2 GCs, though they do not need to both be in the same site.  You should also have a minimum of two DCs per domain, as you do, but demoting one isn't going to help you unless you have also fixed replication.

Part of the demotion process is to replicate all queued changes, so you would not be doing a clean demotion in any case.
0
 

Author Comment

by:nvrkakarla
ID: 20338579
Hi Steve,
Thanks for your prmpt reply. I have tried making the server2 as the GC, but with only a partial sucess. After having done this, there seems to be some replication going on between the two servers, as I can see the new users in server1 after creating them in server2. But the viceversa is not working.
Also if I go to AD Sites and Services and go to force replicate the active directory, its giving the error message that "The RPC server is unavailable. This may be a DNS loopup problem".
I have not made any changes to the IP configuration and the DNS settings, but I cannot understand why this is happening!

Please suggest.....
thanks,
nvrkakarla.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20338596
Glad you've got the replication working (at least partially).  The second DC will only advertise itself as a DC once replication has completed.

Secondly, the RPC may have be blocked by the penetration testing group.  It requires a whole range of ports.  Microsoft do not support lock-down between DCs or DCs and clients.  We really need to know something of what they did if we are to help you undo their changes.

The RPC server error normally means that you cannot gain access to the server using the RPC protocol.  This is a protocol that is used for a huge amount of stuff in Windows.  This could be down to the time issues, or it could be blocked ports etc.

Are your two DCs in the same AD site?
0
 

Author Comment

by:nvrkakarla
ID: 20338857
Hi Steve,
Thanks for your reply!

Yes my two servers are in the same AD site and also the replication has improved now a little bit, its taking very less time for me to see the users created / deleted compared to the past. Also from your reply, i gather that I have noticed a lot of W32 Time errors in the event log, are these something to do with the issue?????

Please advise.....
Thanks,
nvrkakarla.
0
 
LVL 19

Accepted Solution

by:
SteveH_UK earned 500 total points
ID: 20338887
Yes.  The W32 Time service keeps the clocks correct for the entire domain.  Kerberos (and that means authorisation) will not operate correctly if the clocks are skewed.  It will also affect the reliability of other services.

The point about the sites is that you can configure replication between sites to use SMTP or IP, but within site all communication is direct and mustn't be interfered with (i.e. by the penetration testers).
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20758657
Glad it helped :)
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now