Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 648
  • Last Modified:

Global Catalog Errors. Demoting the additional domain controller

Hi All,
We have two domain controllers in a hosted environment. One of them Server1 is setup as Primary Domain Controller and the other Server2 is setup as the addtional domain controller.
Everything was working fine until there were some changes done on the PDC with respect to security as recommended by the Penetration-Testing group (a third party company). We now have problems with active directory replication and I can cleary see that any new users created in one of the servers are not being replicated to other. We are getting erros in Server2 relating to finding the PDC.
I tried to run the netdiag /fix and dcdiag /fix commands. The netdiag /fix went through successfully, but the dcdiag /fix reported the problem with finding the global catalog server.

My querry is:
In server2 (Additional Domain Controller) we have setup IIS and is being used for some web applications. We also have the SQL server installed in it. Could someboy please suggest me if I can run the DCPROMO in server2, demote it and then put the Active directory back to make it the Additional domain controller. Also would any of the services like the IIS, database etc be affected in doing so!
or
Do we have any other workaround to fix this issue as the application up-time is very critical to me, because the last thing I want hear from our clients is that the website is down just after two day from its launch date.

Pleae advise......

Thanks,
nvrkakarla.
0
nvrkakarla
Asked:
nvrkakarla
  • 5
  • 2
1 Solution
 
SteveH_UKCommented:
I recommend against doing a DC demotion.  At the moment your DCs are not syncing and there is nothing to suggest they will after a DC demote-promote.  Instead, you may want to make your second DC a global catalog, and then see how you go.

You need to ensure that replication is working.  It sounds like your penetration testers have asked you to do something non-standard.  Were they MS Gold Partners?  Have they blocked ports between your DCs?

No supported configuration allows for DCs to have restricted access to each other.  Kerberos may be failing, or LDAP may not allow access...
0
 
SteveH_UKCommented:
PS.  I always recommend a minimum of 2 GCs, though they do not need to both be in the same site.  You should also have a minimum of two DCs per domain, as you do, but demoting one isn't going to help you unless you have also fixed replication.

Part of the demotion process is to replicate all queued changes, so you would not be doing a clean demotion in any case.
0
 
nvrkakarlaAuthor Commented:
Hi Steve,
Thanks for your prmpt reply. I have tried making the server2 as the GC, but with only a partial sucess. After having done this, there seems to be some replication going on between the two servers, as I can see the new users in server1 after creating them in server2. But the viceversa is not working.
Also if I go to AD Sites and Services and go to force replicate the active directory, its giving the error message that "The RPC server is unavailable. This may be a DNS loopup problem".
I have not made any changes to the IP configuration and the DNS settings, but I cannot understand why this is happening!

Please suggest.....
thanks,
nvrkakarla.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
SteveH_UKCommented:
Glad you've got the replication working (at least partially).  The second DC will only advertise itself as a DC once replication has completed.

Secondly, the RPC may have be blocked by the penetration testing group.  It requires a whole range of ports.  Microsoft do not support lock-down between DCs or DCs and clients.  We really need to know something of what they did if we are to help you undo their changes.

The RPC server error normally means that you cannot gain access to the server using the RPC protocol.  This is a protocol that is used for a huge amount of stuff in Windows.  This could be down to the time issues, or it could be blocked ports etc.

Are your two DCs in the same AD site?
0
 
nvrkakarlaAuthor Commented:
Hi Steve,
Thanks for your reply!

Yes my two servers are in the same AD site and also the replication has improved now a little bit, its taking very less time for me to see the users created / deleted compared to the past. Also from your reply, i gather that I have noticed a lot of W32 Time errors in the event log, are these something to do with the issue?????

Please advise.....
Thanks,
nvrkakarla.
0
 
SteveH_UKCommented:
Yes.  The W32 Time service keeps the clocks correct for the entire domain.  Kerberos (and that means authorisation) will not operate correctly if the clocks are skewed.  It will also affect the reliability of other services.

The point about the sites is that you can configure replication between sites to use SMTP or IP, but within site all communication is direct and mustn't be interfered with (i.e. by the penetration testers).
0
 
SteveH_UKCommented:
Glad it helped :)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now