nvrkakarla
asked on
Global Catalog Errors. Demoting the additional domain controller
Hi All,
We have two domain controllers in a hosted environment. One of them Server1 is setup as Primary Domain Controller and the other Server2 is setup as the addtional domain controller.
Everything was working fine until there were some changes done on the PDC with respect to security as recommended by the Penetration-Testing group (a third party company). We now have problems with active directory replication and I can cleary see that any new users created in one of the servers are not being replicated to other. We are getting erros in Server2 relating to finding the PDC.
I tried to run the netdiag /fix and dcdiag /fix commands. The netdiag /fix went through successfully, but the dcdiag /fix reported the problem with finding the global catalog server.
My querry is:
In server2 (Additional Domain Controller) we have setup IIS and is being used for some web applications. We also have the SQL server installed in it. Could someboy please suggest me if I can run the DCPROMO in server2, demote it and then put the Active directory back to make it the Additional domain controller. Also would any of the services like the IIS, database etc be affected in doing so!
or
Do we have any other workaround to fix this issue as the application up-time is very critical to me, because the last thing I want hear from our clients is that the website is down just after two day from its launch date.
Pleae advise......
Thanks,
nvrkakarla.
We have two domain controllers in a hosted environment. One of them Server1 is setup as Primary Domain Controller and the other Server2 is setup as the addtional domain controller.
Everything was working fine until there were some changes done on the PDC with respect to security as recommended by the Penetration-Testing group (a third party company). We now have problems with active directory replication and I can cleary see that any new users created in one of the servers are not being replicated to other. We are getting erros in Server2 relating to finding the PDC.
I tried to run the netdiag /fix and dcdiag /fix commands. The netdiag /fix went through successfully, but the dcdiag /fix reported the problem with finding the global catalog server.
My querry is:
In server2 (Additional Domain Controller) we have setup IIS and is being used for some web applications. We also have the SQL server installed in it. Could someboy please suggest me if I can run the DCPROMO in server2, demote it and then put the Active directory back to make it the Additional domain controller. Also would any of the services like the IIS, database etc be affected in doing so!
or
Do we have any other workaround to fix this issue as the application up-time is very critical to me, because the last thing I want hear from our clients is that the website is down just after two day from its launch date.
Pleae advise......
Thanks,
nvrkakarla.
PS. I always recommend a minimum of 2 GCs, though they do not need to both be in the same site. You should also have a minimum of two DCs per domain, as you do, but demoting one isn't going to help you unless you have also fixed replication.
Part of the demotion process is to replicate all queued changes, so you would not be doing a clean demotion in any case.
Part of the demotion process is to replicate all queued changes, so you would not be doing a clean demotion in any case.
ASKER
Hi Steve,
Thanks for your prmpt reply. I have tried making the server2 as the GC, but with only a partial sucess. After having done this, there seems to be some replication going on between the two servers, as I can see the new users in server1 after creating them in server2. But the viceversa is not working.
Also if I go to AD Sites and Services and go to force replicate the active directory, its giving the error message that "The RPC server is unavailable. This may be a DNS loopup problem".
I have not made any changes to the IP configuration and the DNS settings, but I cannot understand why this is happening!
Please suggest.....
thanks,
nvrkakarla.
Thanks for your prmpt reply. I have tried making the server2 as the GC, but with only a partial sucess. After having done this, there seems to be some replication going on between the two servers, as I can see the new users in server1 after creating them in server2. But the viceversa is not working.
Also if I go to AD Sites and Services and go to force replicate the active directory, its giving the error message that "The RPC server is unavailable. This may be a DNS loopup problem".
I have not made any changes to the IP configuration and the DNS settings, but I cannot understand why this is happening!
Please suggest.....
thanks,
nvrkakarla.
Glad you've got the replication working (at least partially). The second DC will only advertise itself as a DC once replication has completed.
Secondly, the RPC may have be blocked by the penetration testing group. It requires a whole range of ports. Microsoft do not support lock-down between DCs or DCs and clients. We really need to know something of what they did if we are to help you undo their changes.
The RPC server error normally means that you cannot gain access to the server using the RPC protocol. This is a protocol that is used for a huge amount of stuff in Windows. This could be down to the time issues, or it could be blocked ports etc.
Are your two DCs in the same AD site?
Secondly, the RPC may have be blocked by the penetration testing group. It requires a whole range of ports. Microsoft do not support lock-down between DCs or DCs and clients. We really need to know something of what they did if we are to help you undo their changes.
The RPC server error normally means that you cannot gain access to the server using the RPC protocol. This is a protocol that is used for a huge amount of stuff in Windows. This could be down to the time issues, or it could be blocked ports etc.
Are your two DCs in the same AD site?
ASKER
Hi Steve,
Thanks for your reply!
Yes my two servers are in the same AD site and also the replication has improved now a little bit, its taking very less time for me to see the users created / deleted compared to the past. Also from your reply, i gather that I have noticed a lot of W32 Time errors in the event log, are these something to do with the issue?????
Please advise.....
Thanks,
nvrkakarla.
Thanks for your reply!
Yes my two servers are in the same AD site and also the replication has improved now a little bit, its taking very less time for me to see the users created / deleted compared to the past. Also from your reply, i gather that I have noticed a lot of W32 Time errors in the event log, are these something to do with the issue?????
Please advise.....
Thanks,
nvrkakarla.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad it helped :)
You need to ensure that replication is working. It sounds like your penetration testers have asked you to do something non-standard. Were they MS Gold Partners? Have they blocked ports between your DCs?
No supported configuration allows for DCs to have restricted access to each other. Kerberos may be failing, or LDAP may not allow access...